﻿Desenarea unor patrate colorate pe ecran La coordonate alese aleator De culori alese aleator in SDL desenarea se face pe asa numite suprafete grafice zone de memorie in care se poate desena la cerere pot fi afisate pe ecran 0 suprafata grafica este caracterizata prin rezolutie (numarul de pixeli disponibili) adancime de culoare (numarul de culori ce pot fi afisate) La configurarea modului video se creeaza o astfel de suprafata grafica SDL Surface *screen = SDL SetVideoMode(640 , 480, 8, SDL SWSURFACE); Desenarea unui patrat Functia SDL FillRect Trebuie sa specificam Suprafata grafica pe care desenam Coordonatele coltului din stanga-sus Dimensiunile laturilor (cazul general e un dreptunghi) Culoarea de desenare Culoarea de desenare Se construieste din trei componente de culoare Rosu Verde Albastru Se numeste cod RGB (red, green blue) Se specifica intensitatea fiecarei componente de culoare Uzual se specifica in hexa intensitate 0x00: componenta nu apare intensitate OxFF: componenta e la valoare maxima Exemple de culori Culoarea rosu: OxFF 0x00 0x00 Culoarea albastru: 0x00 0x00 OxFF Culoarea galben: OxFF OxFF 0x00 Culoarea portocaliu: OxFF 0x80 0x40 Fiecare componenta de culoare are intensitatea intre 0x00 si OxFF inseamna 256 de valori posibile Avem trei componente de culoare (rosu, verde si albastru) inseamna 256*256*256=16777216 valori posibile Este posibil ca suprafata grafica folosita sa nu poata afisa atatea culori Se face o mapare de la codul RGB la o culoare suportata de suprafata grafica Functia SDL MapRGB SDL Rect г; i n t   ;  * dimensiunea fiecarui patrat: 32x32 pixeli *  r w = r h = 32; for (  = 0;   format , rosu, verde, albastru)'  * desenam patratul curent *  S D L F i 11 Rect ( sc reen , &ir , culoare)'  * fortam afisarea lui in fereastra grafica *  SDL Fiip ( screen ); } SDL Delay(5 000); in orice joc utilizatorul apasa pe taste, foloseste mouse-ul Programul trebuie sa reactioneze la toate acestea in SDL exista conceptul de evenimente Pot fi generate de: tastatura, mouse, joystick, etc Functia SDL PollEvent verifica daca asemenea evenimente au fost declansate Pe noi ne intereseaza doua tipuri de evenimente Apasarea unei taste (SDL KEYDOWN) Daca s-a apasat ESCAPE iesim din program Comanda de oprire a programului (SDL QUiT) iesim din program SDL Event event; int gata = 0; while ( ! gata ) {  * desenam pe suprafata grafica din memorie *  deseneaza patrat(screen );  * afisam suprafata grafica pe ecran *  SDL Fiip ( screen ) ;  * daca si cat timp utilizatorul apasa taste , reactionam la ele *  while ( 5DL Pо11Even t(&i even t)) { switch (event type) {  * daca e apasare de tasta *  case SDLKEYDCW V:  * daca e tasta ESCAPE vom iesi din program *  if ( event key keysym sym = SDLK ESCAPE) gata = 1; brea к ;  * daca se inchide fereastra vom iesi din program case SDL QUiT: gata = 1; brea к ; } } } Cum le modelam in program? Putem incadra orice piesa intr-un patrat de dimensiune 4x4 in plus o parte din piese se pot obtine din altele prin rotire Pastram doar piesele de baza Codificare pe biti 0 0 0 0 1 1 1 0 0 1 0 0 0 0 0 0 Avem 4x4=16 biti incap exact pe un unsigned short 0 0 0 0 1 1 1 0 0 1 0 0 0 0 0 0 Valoarea 0x0E40 (in hexa) 0x0E80 ОхОббО in cod: unsigned 0x0660 0x0E20 0x0E40 0x4444 ОхОбСО ОхОСбО short piese [] = { ОхОЕвО, Qx0E20, Qx0E40, 0x4444, ОхОбСО, ОхОСбО Parcurgere cu o masca de biti Pentru a vedea unde avem biti de 1 Acolo unde gasim biti de 1, desenam patrate colorate Unde sunt biti de 0 desenam patrate negre cod piesa: 0000111001000000 masca: 1000000000000000 0100000000000000 0010000000000000 0001000000000000 0000000000000010 0000000000000001 Operatorul sl pe biti intre codul piesei si masca ne spune daca avem 1 sau 0 pe pozitia curenta Pentru a reface structura bidimensionala (caroiaj de 4x4) facem parcurgere in doua bucle for in pseudocod: unsigned short masca = 1 " (8* sizeof (unsigned short) — 1); for ( =0;   format , OxFF, 0x80, 0x40); el se culoare = SDL MapRGB( screen—> format , 0x00, 0x00, 0x00); S D L F i 11 Rect ( sc reen , &ir , culoare); r x += r w ; masca "= 1; Lucram cu reprezentarea pe biti Rotire in sensul acelor de ceas Altfel spus a b c d e f g h i j к 1 m n o P se transforma in m i e a n j f b o к g c P 1 h d Vom folosi operatorii de deplasare pe biti Bitul d ajunge de pe pozitia 12 pe pozitia 0 ( cod &l 1 > 12 Bitul h ajunge de pe pozitia 8 pe pozitia 1 (cod & 1 forma t , 0, 0, 0); for ( ' = 0;   format , rosu, verde, albastru)' Scriem o functie ajutatoare Pentru a determina daca la coordonatele (i, j) e bloc sau spatiu int are bloc(unsigned short piesa , int unsigned short masca = 0x8000; masca "= i * 4 + j ; return {piesa &l masca) != 0; int j) { void d ese n ea za p i esa ( S D L S и rfa ce * screen) { i n t   , j ; SDL Rect r; Uint32 c; r w = r h = BLOCK SiZE; for (   = 0 ;   0, L(sik) = L(sifc+i) = = L(sik+i-i) = L(rjk) = L(rjk+i) = = L(rJfc+i-i) The indices ik and jk are the starting points of identically labeled subsequences of states in the two paths, respectively The stuttering equivalence relation between a and p is denoted by a  st p Figure 2 1: Stuttering equivalent paths For assertions about the behavior of a program, we use the temporal logic LTL [GPSS80] Given a finite set of propositions AP, the formulas of LTL are defined inductively as follows: • p is a formula, for every p 2 AP • if ' and ф are formulas, then so are ' Л ф, X ' and ' U ф An execution sequence a = sQ ! si ! is said to satisfy an LTL formula ф (denoted by a = ф) under the following conditions: 16 • a = p iff p 2 L(s0), for p 2 AP, • a = —' iff not a = • a = ' Л ф iff a = ' and a = ф, • a = X ' iff ai = • a = ' U ф iff 9i > 0 such that a^ = ф and 8j 0 1 By condition C1, ak 2 ample(s0) is independent of a0, ,ak i and commutes with all these transitions 22 Thus, the transition sequence aka0a1 ak 1 can be executed in s0, leads to the same state as the transition sequence a0a 1 ak, and can be followed from this state by the remaining suffix ak of a (b) a does not contain any transition from ample(s0) Let P 2 ample(s0) be an arbitrary transition By condition C1, P is independent from all transitions in a Therefore, if s'1 = P(s0), then n0 2 enabled(si), and inductively if follows that the entire transition sequence a0a 1 can be executed from s'1 However, the fact that each path in the full state space can be transformed into a path which includes the same transitions and has a prefix which be-longs to the reduced model is not sufficient in itself One has to guarantee that the specification is not affected, by ensuring that the generated path is stuttering equivalent to the original one This aspect is handled by the following condition: C2 (Visibility) if ample(s) contains a visible transition, then the state s is fully expanded, i e , ample(s) = enabled(s) We explain the effect of this condition based on the cases (a) and (b) presented for condition C1 in case (a), since n0 2 ample(s0), it follows that state s0 is not fully expanded and thus all transitions from it must be invisible if we denote s the remaining suffix of the transition sequence We prove by induction on i that for prehxes of a with length i > 0 we can construct a sequence a 0 which is stuttering equivalent to a i and ak is invisible and independent of ai, for all l 2 i,i i, k 2 i, obtained from the suffix a>i by removing marked transitions, is enabled in sj in the original model (d) Each transition in 6 is invisible and independent of all transitions ak, 8k > i, k 2 i (all unmarked transitions past the current point in a) (e) si sj That is, the marked transitions (comprising a|i) together with the inserted transitions (comprising 6) are exactly those that be-long to a i, k 2 i, such that ak 2 ample(sj) That is, ai is neither marked nor ample, but there is an ample unmarked transition ak later in the sequence Let k be the smallest such index We mark transition ak and append it to a', i e , i' = iUk, j' = j + 1 and sj+1 = ak (sj) Because ak is ample, a   in sj, and the remainder of this sequence remains enabled in sj+1, which proves (c) Part (d) still holds since 6 is the same, and there is one less unmarked transition By substituting ak for al in (b), we obtain that ak commutes with all marked transitions which occur later in a, and because of (d) it also commutes with the transitions in 6 Therefore, since i' = i U k, si ! sj ! sj+1 implies si sj+1 (with ak inserted to preserve the increasing ordering of i') and the final part of the invariant is proved 27 4 i 2 i, and 8k > i,k 2 i, ak 2 ample(sj) That is, there is no remaining unmarked transition which belongs to ample(sj) We need to insert an ample transition so a' remains a legal transition sequence in the reduced model Select an arbitrary transition P 2 ample(sj) and let j' = j + 1, sj+1 = P(sj) We also append P to the sequence of transitions inserted so far, 6' = 6P Again, since sj is not fully expanded, P has to be invisible, so L(sj+1) = L(sj) = L(si), and (a) still holds None of the variables involved in (b) changes Since P is independent of all transitions in a>i|Jt, (c) remains valid as well, and P can also be appended to 6 without violating (d) Finally, si ! sj ! sj+1, therefore si sj+1, which proves (e) To conclude the induction proof, we note that only a hnite number of steps of type (3) or (4) (for which the current point in a is not advanced) can be taken without performing either (1) or (2) Otherwise, the transition sequence a>j eventually closes a cycle on which transition ai is always enabled without ever belonging to an ample set, which contradicts C3 Therefore, after a hnite number of steps either (1) or (2) must be performed, which advances the current point in a by 1, i' = i + 1 The above four cases therefore guarantee a hnite procedure that constructs in the reduced model a stuttering equivalent prehx for a 0 such that ak = '2 and aj = '1 for all 0 y) On the other hand, if b is executed first, the system reaches the state ((r1, s2),x > y), and then, after executing a, the state ((r2,s2),x y V x 1: 54 • Tk = (d, i) 2 7д, sk = sk 1, vk = vk 1 +i d, and ii(sk)(vk 1 + d') holds, for all d! 2 , or • Tk 2 T, (sk 1,vk 1) ! (sk,vk), and P^1 delay) = Pk 1 delay j(ti) for all i,j 2 active(Tk) in the first case, automaton Ai takes a local delay transition, denoted by (sk 1,vk 1) ; (sk,vk) The second case corresponds to an action transition (sk 1,vk 1) ! (sk,vk), with the additional constraint that the elapsed time (the sum of delays) is identical for all automata in the active set (For a local action transition, with only one active automaton, this additional constraint is void) in both cases, a transition Tk that satisfies the given conditions is said to be enabled after the execution of ak 1 Denote by enabled(a) and enabled*(a) the set of transitions and transition sequences, respectively, that can follow a finite trace a For a finite execution trace a = (s0,v0) Д (s1,v1) (s,v), let timei(a) = t0 + Pzk= 1 delayi(Ti) where t0 2 R+ is an arbitrary value de-noting the timepoint at which the execution of a starts Then, timei(a) (or simply time i , when a is understood from the context) denotes the timepoint reached in Ai after executing the transitions in a The local configuration of Ai reached by a is the tuple cfgi(a) = (si,vi, timei), where vi is the re-striction of v to the clocks of A The global configuration of A is the tuple cfg(a) = (cfg 1(a); cfg2(a);    ; cfsM also written as cfg(a) = (s;v;time) with time = (time 1, time2, , timen) The set of all configurations is then EC = E x (R+ )n The definition of the local time model expresses the enabling of an action transition in terms of the trace executed so far The following proposition shows that a configuration contains sufficient information to completely determine the subsequently enabled transitions Proposition 1 The following properties hold in the local time model L(A) for finite execution traces a and a' and transition t 2 enabled(a): • if cfgi(a) = cfgi(a') for all i 2 active(t), then t 2 enabled(a') and cfgi(aT) = cfgi(a0T) for all i 2 active(t) • cfgj (aT) = cfgj (a) for all j 2 active (t), where aT denotes the trace obtained by extending a with the transition t 55 Proof: For the first part of the proposition it suffices to show that the en-abledness of a transition and its effect depend only on the local configurations of the automata in its active set For a local delay transition ; in automaton Ai, its enabledness is a function only of the local invariant in state s and the clock valuation vi The only state change is the increment of valuation vi by d, which is again independent of other components For an action transition (s, v) -! (s',v'), the definition of parallel com-position implies that its enabledness in S (A) depends on the local states (si,vi) and the invariants of si for i 2 active (a) For L(A), the additional constraint is written as time i(a) = time j (a) for i,j 2 active (a), which also depends only on cfg i (a) for i 2 active (a) The state change is a function of the local state only: for i 2 active (a), si is given by the edge {si, ifi, Ri, s'fi in automaton Ai, and vi = vi[Ri ! 0] For j 2 active (a), we have sj = sj by definition and vj = Vj since no clocks in Aj are reset Finally, for the time component, we have timei(ar) = timei(a) + delayfir) for all i 2 1,n Therefore timei(a) = timei(a0) ) timei(ar) = timei(a0r) Since the definition of delay ensures that delayj (r) = 0 for all j 2 active (r), this implies timej (ar) = timej (a) for j 2 active (r) □ As a consequence, two finite execution traces leading to the same config-uration have the same set of enabled transitions For a configuration 7 2 VC one can thus define enabled(7) = enabled(a), where a is an arbitrary execution trace with cfg(a) = 7 Likewise, the successor configuration of 7 by a transition r 2 enabled (a) is defined as the configuration reached when extending the trace a by transition r: succT(7) = cfg(ar) This is again independent of a and we write 7 ! succT (7) We are now ready to prove the desired independence properties for transitions in L(A) in general, two transitions are called independent if neither disables the execution of the other, and the same state is reached by executing them in either order This notion is formalized as follows: Definition 9 (independence) Two transitions r1 and r2 are independent iff for any finite execution trace a such that r1,r2 2 enabled (a) the following two conditions hold: Enabledness: r2 2 enabled(ar1) Л n 2 enabled(ar2) Commutativity: fin(ar1r2) = fin(ar2r1) Л enabled*(ar1r2) = enabled*(ar2r1) where fin (a) denotes the last state on the trace a The following theorem then holds (cf [BJLW98]): 56 Theorem 1 Two (action or local delay) transitions т1,т2 2 T that involve disjoint sets of automata (active(т1)   active(t2) = 0) are independent Proof: if j 2 active (t2), then j 2 active (т1) and cfgj (avfi = cfgj (a) for all j 2 active(t2) Thus, t2 2 enabled(a) ) t2 2 enabled(avfi, and symmetri-cally for the second conjunct For commutativity, since active (т1)   active (t2) = 0, each of the local configurations is changed at most once, either by т1 or by t2, independently of their ordering Therefore, cfg(ат1т2) = cfg(ат2т1) in particular, this means fin(ат1т2) = fin(ат2т1), and furthermore, since the enabledness of transitions depends only on the reached configuration, enabled*(ат1т2) = enabled*(aT2T1) □ A finite trace a in L(A) is called synchronized if timefia) = timej(a) for all i,j 2 1,n, i e , if all automata have executed for the same amount of time, denoted by time(a) The following theorem relates the reachable state spaces of the standard and local time models (cf [BJLW98]): Theorem 2 Each state (s,v) reachable in S(A) is also reachable in L(A) Moreover, each state reached by a synchronized trace ai in L(A) is also reachable in S(A) Proof: For the first part, note that any execution trace in S(A) yields an execution trace in L(A) by replacing each global delay transition ; with the sequence of local delay transitions ;1 ;п The reverse implication follows by induction on the number of action transitions in al For the base case, if al is synchronized and contains only local delay transitions, they sum up to the same total delay d Then, fin(al) is reachable in S (A) by executing the global delay transition ; For the induction step, consider the action transition a in al executed at the latest timepoint, ta tffti t'ff Since (s,v) ; (s,v') iff v' = v +i d and ii(si)(v') holds, we obtain that succф(ф1) = ф1 *i Ліі("і), which is again a difference constraint Combining action and delay steps, we obtain: succ ?(фі; a) = ( Л Ax2Ra tx = tix ) Л Л inactive (a) ii(si) 2 Despite the desynchronization introduced by the local-time model, the representation of a local-time clock zone is still monolithic and relates reset 60 times of clocks to reference times in all automata We prove that for a class of networks the following simpler representation holds: Proposition 4 if every synchronization transition in network A resets at least one clock in each participating automaton, a local-time clock zone has the form фi = фд(Т) Л ЛГ=і Фі(Ті, ti), where: * фД(Т)   tx=ty2T tx ty — Cxy, with cxy 2 Z * ф i(Ti; ti)   tx2Ti (ti tx Cix Л tx ti — cxi) with cix; Cxi 2 Z in this case, we call A a sync-reset network of automata The special form for a clock constraint in this case signifies that there is no need to explicitly maintain constraints that relate the reset time of a clock to the local time of a different automaton The constraint is composed of a global constraint фд(Т) that relates pairs of any two reset times, and of one local constraint фі for each process, comparing the reset times in the automaton Ai to its local clock ti A network of automata A may satisfy this additional property if each synchronization transition determines the future timing behavior of both automata involved, and it is thus necessary to refer to its execution time by means of a clock reset in both automata Proof: The initial zone can be written as: initZ(s0) = Дxy2C(tx = ty) Л Л11 ii(s0) in the expression of succZ from Proposition 3 the term ф1 Л Фа Л 2Ta ti = tj has the required form, save for the equalities ti = tj Quantification over Xa introduces constraints between tx and ti, for tx 2 T and i 2 active (a) By assumption, for every i 2 active (a) there exists a clock x 2 Ra   Ci that is reset, and the new value of tx is ti Therefore, constraints on ti and ty can be replaced with constraints between tx and ty, which are incorporated in фд Finally, executing for i 2 active (a) removes the equalities ti = tj, and adds inequalities of the form tu — tj = (tx — ti) + (ti — tj) —ui cui + 0 with u 2 Cj However, if y 2 Ra   Cj, this inequality can already be obtained considering (tu — ty) + (ty — tj), both terms already present in the desired form □ We give an example to show that the reduced representation is not suf-ficient in the general case Consider automata A1 and A2, with clocks x and y, that synchronize on transition a After executing the synchronization transition, the full representation of the corresponding clock zone would be t1 — tx > 3 Лt2 — tx > 3 Лt1 — ty > 0 Л t2 — ty > 0 Then, transition b can only be executed if t2 — ty 3, implies tx — ty 3 and t1 — ty > 0 cannot be part of the 61 simplified representation if these constraints are ignored, the system could execute transition b regardless of the relation between tx and ty, leading to extraneous behaviors Figure 3 3: Synchronization transitions and zone representation Clock difference constraints are generally represented as difference-bound matrices [Dil89], which are indexed by clock variables whose elements are bounds, i e , pairs of the form (^,c) corresponding to an atomic clock constraint The component фд of a local time zone can be represented as a difference bound matrix with |C| rows and columns Each constraint фх re-quires 2 * |C'i| additional time bounds, for a total of 2 * |C|, i e , an additional row and column Thus, фі can be represented by a matrix with |C| + 1 rows and columns, the same size as the DBM used in the standard algorithm However, the computations performed on this matrix must take into ac-count that segments of the additional row and column correspond to different automata and thus different reference times The successor computation for a transition is performed first on the submatrix corresponding to the clocks of the active automata together with their reference times (which have to be equal in this case) if any constraints between clocks are strengthened in this process, the |C| x |C| submatrix corresponding to фд is canonicalized This may strengthen constraints between clocks in an automaton Ak outside the active set of the transition, which may in turn strengthen constraints in фк between the clocks in Ak and the reference time tk if some automata in the network have synchronization transitions that do not reset clocks, one solution is to introduce in each of these automata an additional clock that is reset on such synchronization transitions in this way, the network of automata is transformed into a sync-reset network, with potentially fewer than n additional time variables 62 in the general case, a smaller difference bound matrix can also be obtained using the clock activity reduction of [DY96] in this case the dimension of the DBM changes dynamically at each state, by eliminating the clocks that will be no longer used before their next reset Using the same approach in the local-time model, we can also eliminate reference times in some cases if all transitions entering local state s in automaton Ai reset clock x, then the strongest constraints at s on the reference time ti are ti > tx, together with any local invariant of s Thus, it is possible to represent the local-time zone at s as a DBM without ti, and add the above-mentioned constraints when the next local transition from s is explored 3 7 Preservation of ЬТЬд formulas in the local-time model L(A) the executions of the component automata are decoupled from each other, except for synchronization transitions Con-sequently, L(A) accepts a richer set of behaviors than S(A) This section establishes restrictions on the local-time model which ensure that each of its traces is equivalent with respect to a given ЬТЬд formula ' to a trace of the standard model The semantics of ЬТЬд is extended to the local time model by defining the satisfaction of an atomic time constraint in a local-time configuration: (s, v) |= x — y - M Theorem 4 Given an ЬТЬд formula for any execution trace in the model S(A) there exists an execution trace in Ff(A) which has the same truth value for ' and vice versa Proof: The direct implication is straightforward: from a trace a in S(A) construct a trace al in L(A) by replacing each global delay transition ; with the sequence of local delay transitions ;1 ;n The trace al also satishes O, since no action transitions are reordered, and F, since the same delay transitions are executed in each automaton Since delay transitions are invisible, this transformation does not change the truth value of the ЬTЬд formula ', and a = ' iff al = ' For the reverse implication, we construct a from al by reordering all transitions so they occur in increasing order of their timepoints The ordering condition O guarantees that no visible transitions are reordered, and the truth value of the formula is not changed in this transformation, delay transitions may be split and reordered so every action transition is preceded by equal delays in all automata The fairness condition F guarantees that for all automata, local delay transitions totaling the needed amount exist in al Finally, all local delay transitions between two consecutive action transitions are merged into a global delay transition, resulting in a trace a of S(A) □ Based on the above theorem, we proceed as follows: We hrst dehne a restricted local-time model L'(A) whose traces satisfy the ordering condition O Next, we construct a zone automaton Zf(A) whose states are local-time atoms, i e , sets of conhgurations with the same truth value for all atomic subformulas of ' We show a correspondence between the traces of L'(A) and Zf (A), and then impose a fairness condition corresponding to F to ensure 64 equivalence with the standard model Finally, we apply a maximization of the atoms in Z'(A) to obtain an automaton M'(A) which is guaranteed to be hnite and therefore amenable to model checking To preserve the ordering of visible transitions, we introduce an additional reference variable tv, which denotes the timepoint of the last executed visible transition The domain of the valuation v is extended to include tv in the initial conhguration, v(tv) = 0 The model L'(A) is dehned in the same way as L(A), but with the additional restriction v(tv) 0, ending at a configuration 7k+1, and consisting of an action transition ! followed by any delay transitions up to the next action transition in all These delay transitions must occur either in automata from the active set of -!, or in automata which have no subsequent action transi-tion in al For the latter transitions, the invariant at the local state must be trivially true, since time advances to infinity in all Thus, taking these tran-sitions leads to configurations in the same atom The delay transitions in automata from the active set of ! are included in the definition of the zone successor for ak, and consequently, we have we have yk+1 2 succf^ak,ak) Thus, we can define ak +1 as the atom from at'(succ((ak, ak)) to which configuration ' k ii belongs, preserving the induction invariant Finally, if all contains only a finite number of action transitions, it means that the resulting state has trivial invariants at each local state Then we can 66 extend the atom sequence (ak) with an =) transition for each delay transition in following the last action transition Since by construction 2 ak, it follows that a' and p have pointwise the same truth values for all atomic propositions in P U Q (the delay transitions in a't and the =) transitions in p are stuttering steps) For the reverse step, since a ) a' iff every configuration in a' is reachable from some configuration in a by executing -! followed by delay transitions, it follows by induction that any atom sequence p has a wiiness trace of configurations Since the constructed configurations belong pairwise to atoms in p, the two sequences must have the same truth value for the formula ' □ it remains to restrict the zone execution sequences such that the included execution traces satisfy the fairness condition F Otherwise, the local-time model may contain traces that do not require all automata to execute, and do not correspond to any trace in the standard model The fairness condition F is violated if in one of the component automata the execution trace cannot make indefinite time progress This is the case if, starting from some point in the zone sequence, there exists a clock on which each zone imposes an upper bound due to its invariant The negation of this condition means that any clock which is infinitely often limited by an invariant has to be reset infinitely often, allowing time to diverge Consequently, the fairness constraint can be written as a temporal logic formula in terms of the underlying state-transition structure of the automaton, ДжеС GFx bounded ) GFx reset The model checking problem on the initial network of automata is thus reduced to LTL model checking of a finite Kripke structure with a set of fairness constraints The fairness constraint can also be enforced by a more restrictive def-inition of allowable successor transitions, while also providing a guarantee that the local-time atom graph will not contain more zones than the one constructed for a global-time model Note that allowing each automaton to execute decoupled, in its own local time scale can lead to some automata overtaking the others and some lagging behind in time in particular, this may lead to the exploration of control states that do not appear in the original model, because the local reference times do not coincide This does not affect the correciness of our result, since we have restricted visible transitions to their initial ordering However, it may cause the local-time model (to which partial order reduction will be applied) to contain more enabled transitions at each state (since they do not have to be executed in time order), and thus more control states 67 A local-time zone (s, фі) is called synchronizable if it contains at least one synchronized configuration, with v(t^ = v(tj) for all i,j 2 1,n in other words, (s, фф is synchronizable iff ф1 А ti = tj is satisfiable A transition is firable in zone (s,фф if it is enabled in (s,фф and succf((s,фф,о) is synchronizable if the atom graph is generated using only firable transitions, this ensures that a transition can be taken in the atom graph iff it can be taken in the original zone automaton Clearly, this also ensures the fairness conditions, since the time progress of at least one automaton (due to the non-Zeno assumption) together with synchronization implies the time progress of all components towards infinity in terms of efficiency, this approach trades a potentially smaller size of the model before reduction against a more complex test for firability of a transition 3 8 Building a finite model in general, the local-time zone automaton can be infinite, since the difference bounds on clocks can become arbitrarily large The original formulation of the local-time model [BJLW98] gives a proof that the infinite number of local-time zones can be divided into a finite number of equivalence classes, based on the standard region-graph equivalence However, this proof is non-constructive in particular, it gives no concrete means of determining the equivalence of two unsynchronized local-time zones, which is needed to ensure termination of the state space search in this section, we show that, just as in the case of the standard zone automaton, the actual value of the bounds on clock differences does not affect the enabledness of transitions, once a certain value is exceeded Each local-time zone can therefore be normalized in order to obtain a finite model We adapt the maximization operation used, e g , in [Won94] to the local-time model Let cmin and cmax be the minimum and maximum constants in the description of the automaton A and the formula ' (assuming all constraints are given in canonical form, tu — tv - crnax and Lv'(tu) - v'(tv)J > crnax Region equivalence can be extended naturally to configurations by defin-ing (s,v) 'reg (s',v') iff s = s' and v 'reg v' Regions are the equivalence classes induced by 'reg on the set of configurations EC The following lemma holds: Lemma 6 Let v 'reg v' Then: 1 For any constraint ф in A or in the specification ', v 2 ф iff v' 2 ф 2 For any clock set R, v[R ! 0] 'reg v'[R ! 0] 3 For i 2 1; n and d > 0 there exists d' > 0 such that v +i d 'reg v' +i d' The proof reduces to the known result for the (global) region graph con-struction, with the following two observations First, the local-time model adds the implicit constraints ti = tj for synchronization transitions, but the constants in this constraints are 0, and do not influence cmin and cmax Sec-ond, when performing a local-time delay in automaton Ai , the only variable that changes its valuation is ti Therefore, the other reference times tj, with j = i are indistinguishable from ordinary reset times tx, with x 2 C, and the situation is identical to the global time model, for which the property is known to hold Since the execution of any transition is expressed in terms of conjuncting with the constraints of A, resetting clocks and advancing local time, Lemma 6 implies the following property (cf [ACD90]): Proposition 7 Let 7 'reg 7' be two region-equivalent configurations in EC 1 if 7 ! 71, there exists 7' 'reg 71 such that 7' ! 7' 2 if 7 71 with d 2 R+, i 2 1pn, there exists d' 2 R+ and 7' 'reg 71 d' such that 7' ;i 7i 69 We define the maximization max(z) of a zone z as the set of conhgurations which are equivalent to some region-equivalent configuration in z: max(z) = {7' 2 VC | 2 z 7 'reg 70} A maximized zone is therefore a convex union of regions, since by including one configuration of a region it has to include all others it is easily seen that a maximized zone is obtained from the canonical representation of a zone by modifying all constraints outside the range [Cmin; Cmax]: tu tv C with C cmax becomes tu — tv 3 Since tu — tx = tv — ty due to the previous synchronizations, the two conditions cannot be satisfied simultaneously Exploring either of =) and =) restricts the current local-time zone to a fragment where the other transition is no longer enabled Thus, even though =) and =) are independent, selecting only one of them as an ample set would violate condition C0 Consequently, when selecting a set of ample transitions, one needs to make sure that condition C0 is observed and at least one ample transition is enabled in every configuration that has a transition enabled in the unreduced model Let guard (a) be the enabling condition of -! in the local-time model, i e , фа Л   ij2active(a) ti = tj if ф1 is the current local-time zone at state s, we require фі Л У a2enabled(s) gUard (a) = ф1 Л Va2ample(s) gUard (a) A simpler, sufficient condition can be given as follows Let Tample be the set of all time variables (clock reset times and reference times) in the automata that contain transitions from the current ample set The remaining enabled transitions do not involve any of these automata and thus depend only on variables in T+   Tample if the set of configurations from which an ample transition is enabled, ф1 Л   a2ample (s) guard (a), contains any possible combination of variables in T+   Tampie allowed by ф1, then there are no configurations in ф1 for which transitions outside the ample set are enabled, while transitions in the ample set are not Thus, condition C0 is preserved The corresponding relation is: X , ф1 Л V'aEample(s) gUard (a) = ''X, ф1 in particular, this relation is easy to check if the ample set contains a simple transition: it means that after conjuncting with its guard, the projection of the local-time zone onto the remaining automata is unmodified The ample set reduction is done according to the criteria outlined in Sec-tion 2 6: a set of automata (ideally, a single one) with no locally enabled communication to automata outside the set is found The cycle closing con-dition can be ensured both using the traditional depth-first search or using static partial order reduction, based on analyzing the cycle structure of the 71 individual automata Finally, if at the current point all local control states have trivial invariants, one takes into account that an inhnite sequence of self-loop transitions =) is possible from this state if a local state with a nontrivial invariant is explored, one must make sure that when the upper bound of the invariant is reached, at least one of the transitions is enabled, otherwise, deadlock occurs since time cannot progress if this invariant is of the form (xix cmax and v'(x) > cmax 2 For all x,y 2 C with v(x) iff one of the following holds: — the successor state s' with respect to a has an invariant of the form x 0 for all y 2 C and {v(x)} > {v(y)} for all y 2 C • -! can disable ! iff one of the following holds: — has a constraint of the form x 0 for all y 2 C and {v(x)} > {v(y)} for all y 2 C Proof: Since -! does not reset any clocks, the clock valuations in s and s' after executing a are the same We examine first the cases where -! disables This means that passage of time, which is allowed in control state s, is no longer allowed in state s' This occurs when the advance of some clock x is limited by an invariant of the form x - {v(y)} for all y 2 C in addition, the current region must not itself be a boundary region with some {v(y)} > 0 Otherwise, the next region is obtained by an inhnitesimal advance of time, which increases {v(y)} from 0 to positive while maintaining v(x) Proof: The proof follows from the fact that for any t 2 R+, the transitions and ; commute in (s,v) if neither disables the other and -! does not reset any clocks This is obvious, since -! only changes the control location and ; only changes the clock valuation □ Based on this dependence relation, partial order reduction can be used in the construction of a smaller region graph for a given timed automaton Ordinarily, even at a state where only a single transition is enabled, the region graph construction would have to consider either executing the transition or advancing time to the next region For transitions that do not reset clocks, this method allows the exploration of only one possibility, except for the case when the execution of the transition is forced at the end of its enabling interval (The other case, where a time invariant is strengthened in the successor state rarely appears in practice) As opposed to the local time model, this method does not make use of the structuring of a system into components, and can be used on a single timed automaton Furthermore, the region graph, being time-abstract can be represented symbolically using binary decision diagrams (BDDs) Thus, if a static technique is used for partial order reduction, this method can potentially combine partial order reduction and symbolic model checking 76 4 2 Partial Order Reduction for Timed Event Level Structures A model of timed systems which is well suited for describing hardware cir-cuits, in particular asynchronous ones, is provided by the so-called timed event level (TEL) structures This model can express both event causality, as well as dependence on signal levels Early work by Rokicki and My-ers [RM94] gave an algorithm that reduced the number of geometrical tim-ing regions generated during state space search This approach was later extended by Belluomini and Myers [BM98] using so-called partially ordered sets of events (POSETs) We show how to apply partial order reduction to this model and obtain additional savings in the generated control state space 4 2 1 Timed Event Level Structures We start with a presentation of timed event level structures and the POSET algorithm, following the account given in [BM98] A timed event level (TEL) structure is a tuple T = (N, S0, A, E, R, #), where: • N is the set of (boolean) signals, • S0 C {0, 1}N is a set of initial states, specihed by a boolean value for each signal, • A C N x {+, —} U s is the set of actions, • E C A x N is the set of events, where N is the set of natural numbers, • R C E x E x N x (N U {1}) x B(N) is the set of rules, where B(N) is the set of boolean functions b : {0,1}N ! {0,1}, • # C E x E is the (symmetric) conflict relation between events An action a 2 A can be either a rising or a falling transition of a signal x 2 N There is also the dummy action s which does not result in any signal transition An event e 2 E is a pair (a,i), with a 2 A and i 2 N, denoting the ith occurrence of action a A rule r 2 R is a tuple of the form (e, f, l, u, b), where e is the event enabling the rule, f is the event enabled as effect of the rule, (l, u) is a pair of upper and lower integer time bounds, and the enabling condition b 2 B(N) is a boolean function on signal values 77 The semantics of TEL structures can be described informally as follows: A rule becomes enabled once its enabling event has occurred and its boolean enabling condition is true for the current signal assignment After the lower time bound l passes since the enabling of a rule, the rule is called satisfied; from this time point on, the rule can fire After the passage of the upper time bound u since its enabling, a rule becomes expired in the absence of conflicts, an event has to occur after all rules enabling it are satisfied, and before any of them expires Should a rule’s boolean enabling condition become false after the rule is enabled, this constitutes a hazard and represents a failure during verification The conflict relation # can be used to model choice and disjunctive be-havior if two events e1 and e2 are marked as being in conflict, e1#e2, one of the two can occur, but not both if two rules r1 and r2 have the same enabling event e, but conflicting events e1#e2 as effect, then only one of the rules can fire, causing the corresponding effect to occur This models nonde-terministic choice Conversely, if an event e appears as an effect of two rules with conflicting enabling events, only one of these events needs to happen (and only one rule needs to fire) for the effect e to occur 4 2 2 State Space Exploration Using POSETs We next describe the data structures and the exploration algorithm used in the POSET approach of Belluomini and Myers [BM98], to establish a comparison point for the application of partial order reduction in TEL structures, a timed state is represented as a tuple (sc, Rm, M, Rf), where: • sc is the control state representing the values of the signals, • Rm is the set of marked rules, whose enabling event has occurred, • M is the constraint matrix, a difference bound matrix containing the maximum differences between the enabling times of all enabled rules • Rf is the set of rules that have already fired The set of marked rules Rm together with values of the signals in sc determine the set of enabled rules Ren These are the rules for which timing information is maintained in the constraint matrix M For the fired rules in Rf, no timing information about them needs to be maintained in the constraint matrix, but the fact that they have fired must be recorded 78 A state space exploration step in a TEL structure consists of determining the set of satisfied rules Rs, choosing a satisfied rule to fire, and comput-ing the resulting new timed state A depth-first search of the state space would consider in turn the firing of each rule among the satisfied rules in Rs However, each interleaving of rule firings would typically generate a different constraint matrix M (that is, a different timing region), leading to an ex-ponential number of different timed states The POSET method generates a timed state space consisting of fewer and larger timing regions To this effect, the algorithm maintains in addition to the constraint matrix (which contains separation times between enabled rules) another difference bound matrix, called POSET matrix, which keeps track of relationships between event firing times that are allowed by the given rule firing sequence As a result, the timing behaviors represented in the constraint matrix are only constrained by the causality in the firing sequence, and no longer by its total order, resulting in a significantly reduced number of timed states However, the method still requires multiple rule interleavings to be ex-plored, even though with the use of POSETs the same timing region is gener-ated in the state space Also, some computation steps for the constraint ma-trix still take into account the chosen total order of rule interleavings, which results in unnecessary overhead in the following, we present the POSET al-gorithm by working through an example which showcases both its strengths and limitations, and finally present an improved algorithm which takes ad-vantage of partial order reduction The POSET algorithm decouples rule firing from event firing: A rule can fire as soon as it is satisfied, i e , it has been enabled for at least its lower time bound An event fires only once all its enabling rules have fired The causal rule rc for an event e is therefore the last rule that fires and consequently enables the event Conversely, the causal event for a rule r = (ec, e, l, u, b) can be either the enabling event ec or some later event that causes the enabling condition b to be satisfied Finally, note that the causal event ec of an event e is the causal event of its causal rule rc, and the minimum and maximum separation times between ec and e are consequently given by rc Taking these causality relations into account, the POSET algorithm pro-ceeds as follows: from the timed state (sc,Rm,M, Rf), the set of satisfied rules is computed and a rule r that can fire first among these is selected The rule r is removed from the set of marked rules Rm and added to the set of fired rules Rf Next, the algorithm checks whether as a result of firing r any event can fire if yes, the untimed state is updated, the enabling rules 79 of the event are removed from Rf, and any conflicting rules are removed from Rm and Rf Finally, the POSET matrix is updated and the new event separations are used to update the constraint matrix When adding a new event e to the POSET matrix, the separation times to the events that influence e (and therefore exist in the POSET matrix) must be taken into account This includes the causal event of e, the enabling events of any rules that enable e, and the events occurring in the boolean conditions of these rules Determining these separation times is straightforward and is described in detail in [BMH99] The separation times between the new event e and any other events in the POSET matrix are simply a consequence of existing separation times and are computed by canonicalizing the matrix using the all-pairs shortest paths algorithm After this step, all events which are no longer relevant to the evolution of the system (i e , are not causal for any of the marked rules in Rm ) are removed from the matrix As a last step, all rules enabled by the firing of the new event need to be added to the constraint matrix M Since the enabling time of a rule is simply the timepoint of its enabling event, the needed minimum and maximum separation times between the new rules and the existing ones can simply be copied from the POSET matrix The constraint matrix is then canonicalized, which can further constrain some of its entries, since the age of a rule cannot exceed its maximum bound u Finally, the rule whose firing caused this computation step (and which is thus no longer in Ren) is removed from the constraint matrix We illustrate the application of the POSET algorithm by means of a small example, taken for purposes of comparison from [BM98] Figure 4 1 depicts a timed event level structure, in which events are represented as nodes and rules as directed edges (labeled with time bounds) connecting them For simplicity, no level dependencies are included in this case, which means that all boolean conditions of the rules are true Thus, the sole triggering condition for a rule is its enabling event initially, event A has just fired, and the set of marked (and enabled) rules is Ren = {(A, B), (A, C)} (we can unambiguously denote a rule by its triggering and resulting events) The POSET matrix is trivial and contains the single event A The constraint matrix compares the ages of the enabled rules, i e , the amount of time passed since each rule has been enabled These are quantities that increase at the same rate with passage of time, just like the clocks in a timed automaton Similarly, the matrix contains a dummy clock which has always age 0 80 Figure 4 1: Sample timed event level structure The representation defined in [BM98], which we observe for reasons of consistency, dehnes the matrix entry mij to be Cj — Ci, where a is the age of the rule ri Thus, rows and columns are swapped compared to the usual DBM representation in an alternate view, we can state that mij = t(ei) — t(ej), where ei is the causal event for rule ri and t(ei) its hring time in this case, the zero row and column denotes the current time t, and m , = t — t(ei) The entries in row 0 are thus set to the maximum possible age for each rule, given by its upper bound u, since the constraint matrix contains rules which have not yet hred in this case, both rules are enabled by the same event A and therefore have identical enabling times, mAB;AC = mAC;AB = 0 We have t — t(A) t(ri), and the lower bounds on the rules imply t(e) — t(ei) > t(ri) — t(ei) > li, for 1 t We denote this set by enabled+ (s,t) = {a 2 T | 9t' > t (t',a) 2 enabled(s)g The upper bound on the firing time of a at s is denoted by firemax(a, s) = sup {t 2 R+ | (t, a) 2 enabled(s)g We write t - 0, a 2 enabled+ (si,ti) (where t0 = 0) in the following, we restrict our attention to non-Zeno traces, in which only a hnite number of transitions can occur within any hnite interval Con-sequently, in any non-Zeno trace, time grows unbounded towards inhnity 5 3 A Relaxed Timing Semantics 5 3 1 Preliminaries in practice, state space exploration algorithms operate on sets of timed states, usually called timed regions, which are represented using timing constraints Requiring a strict time ordering of explored transitions causes transitions to be serialized even if they are independent As a result, supplementary constraints on transition ordering are added to the representation of a timed region Thus, a distinct timed region is generated for each interleaving of transitions, leading to an explosion in the number of generated regions We approach this problem by dehning a modihed semantics for a timed structure, which relaxes some of the time ordering constraints specihed for the traces in Ls(Q) Recall that in a trace a = s0 t!1 s1 *!2 s2 si from Ls(Q), each subsequent timed transition i+!i+1 has to satisfy: • a relative ordering condition on transition timings: ti a(succt'>a'(s)) Two untimed transitions a and b are independent if the timed transitions (t, a) and (t', a') are independent for any t,t' 2 R+, and are dependent otherwise The goal of our relaxed semantics is to ensure that each execution trace is stuttering equivalent to a trace of the original model Consider the timed transitions and , with t 1: (1) ai causal to aj ) ti i (a 2 enabled(sk) V a = ak) The first three conditions have been discussed in turn The fairness con-dition F prohibits an indefinite postponement of a transition a which has a finite upper firing bound With this definition, we can now prove: Theorem 6 The set of relaxed traces Lr(Q) is a superset of the set of standard traces Ls(Q) Moreover, each relaxed trace is stuttering equivalent to some standard trace Proof: it is clear that all traces of Ls(Q) are also traces of Lr(Q) indeed, in Ls(Q) a timed transition has to be firable with respect to all transitions enabled at that state, and the ordering condition between timepoints holds between all pairs of transitions The fairness condition is ensured in Ls(Q) 93 by the non-Zeno assumption: time eventually exceeds any bound, and thus a perpetually enabled transition with a hnite hring bound is forced to execute when this bound is reached Let us consider a trace a 2 Lr(Q) and construct a stuttering-equivalent trace a' 2 Ls(Q) We prove by induction over k 2 N that we can successively construct the execution traces a0, a1, , ak 2 Lr(Q) from a by permuting transitions, such that ak  st a, and the hrst k transitions from ak can be executed in the standard semantics Specihcally, ak starts with the hrst k transitions of a in order of their timepoints, with ties broken in favor of the transition explored earlier For the base case k = 0 we trivially take a0 = a, since the initial states are the same in both trace families For the induction step, assume the property is true for some k > 0 Let (tj ,aj) be the transition in ak with the next smallest timepoint after the transitions a1,a2,       ,ak of ak if j = k + 1, we trivially take ak+1 = ak Otherwise, for k i such that aj 2 dependency (ai, si 1) (and aj is continually enabled in si 1 through Sj 1) Since aj is necessary for b, aj is the start of a sequence of causal transitions p leading to b, and thus ti tb + 2, and a is in the dependency set of b because it can cause transition c 2 conflict(b) with tc > ta + 1 However, if —1 ta, and a transition b which writes v is restricted by f i2read(v)[wnte(v) ti > tb, where read(v) and write(v) are the sets of process indices which read and write v , respectively This ensures that in the other relevant processes, the reference time has already advanced past the execution point of the considered transition, and thus any conflicting transitions explored subsequently are serialized in the correct order if we use instead variables denoting the last transition in a given process, as in Chapter 5, then for a read transition a we require Дi2write(v) ta > tlasti, and for a write transition b we require f i2read(v)[wnte(v) tb > tlasti Here, the inequalities ensure that the transition occurs at a timepoint which is later than that of the last executed transition in any potentially conflicting process 104 6 2 Parameterized Benchmarks Our first comparison is made on a set of benchmarks which has been used in [BMPY97] to compare continuous-time techniques based on difference bound matrices with discrete-time techniques based on numerical decision diagrams (NDDs) The same examples are used in [BM98] to compare the efficiency of the POSET method for TEL structures These benchmarks highlight specific extreme-case scenarios which appear in the exploration of timed systems Benchmark A (Figure 6 1) consists of a series of N independent timed automata, Ai each with a single state and one clock Ci Each of the n states has an invariant Ci li which also resets Ci Thus, the global system has a unique control state, but the set of possible time configurations becomes more and more complex as the system evolves, eventually covering the entire possible space of clock values in [BMPY97] it is shown that standard DBM techniques cannot handle more than 5 of these automata composed together Our results, shown in Table 6 1 are consistent with those obtained in [BM98] using POSETs it can be seen that with the local time model, only relatively few timed states need to be generated before the entire state space is finally covered Since the example contains only one control state, partial order reduction is not applicable, and the improvements are due entirely to the local time model Ai X2 > І2; X2 ! 0 A2 xn > ln ; xn 1 ! 0 An Figure 6 1: Benchmark A To preserve consistency with the results of [BMPY97], in this example, as well as in the remainder of the benchmarks in this section, the time constants in the model have been generated randomly from the interval A second benchmark B (Figure 6 2) consists of N two-state automata, between which the automaton switches in a time interval [li,ui) Such an automaton represents a boolean signal for which two successive changes in value are constrained by a lower and an upper time bound An array of such 105 N 16 32 48 64 80 96 112 128 states 72 158 229 226 298 382 439 469 time (s) 0 1 4 7 2 15 7 40 84 8 154 252 Table 6 1: Exploration of example A using a local-time model automata would be necessary to model the behavior of a circuit under all possible inputs Again, the results for reachability analysis are similar to those obtained with the POSET method, and signihcantly better than the standard exploration, which cannot handle more than 4 stages This model is signihcantly more complex than the previous one, and the number of timed states increases much faster (the number of control states is 2 N) Figure 6 2: Benchmark B Due to the independence of its transitions, this model is the ideal candidate for partial order reduction Table 6 2 presents the comparative results for state space search with and without reduction (using the local time model in both cases) The reduction results are given for the best case with no visible transitions (this is the case if B is part of a model being verihed either for deadlock detection or with respect to other visible properties) With partial order reduction, the number of states increases linearly rather than expo-nentially: 80 automata are analyzed in less time and a fraction of the space compared to 13 automata without reduction The hnal example of this section is an asynchronous circuit consisting of N XOR gates with delays, connected in a ring, in which gate i outputs Xi after some bounded delay, and has as inputs the (delayed) values of Xi and xi 1 Each gate can be represented by a 4-state timed automaton, with states encoding the actual and hidden value of the output signal, and a clock that models the delay [MP95] 106 N 8 9 10 11 12 13 states 1214 3463 9623 18634 36320 71442 time (s) 0 0 5 2 4 85 11 7 27 7 N 8 16 32 48 64 80 states (red ) 75 262 653 1312 1394 2844 time (s) 0 0 0 5 3 6 8 20 8 Table 6 2: Exploration of example B using a local-time model The system is strongly coupled: each change in one of the signals potentially cascades to cause changes in all gates in the ring, and the feedback loops create a high complexity of the resulting state space We present the results of computing all timed states that are reachable from the initial unsta-ble state in which all signals have the value 1 Several variations of the state space search have been employed in Table 6 3, sync denotes a local-time exploration in which only synchronizable states are explored (cf Chapter 3) Lines marked with act denote results obtained using the clock activity reduction of [DY96], eliminating clocks which are no longer used before they are reset For a gate modeled as a timed automaton, this reduction occurs at the stable states, from which the clock is reset when switching to an excited state that subsequently causes a change in output The results show that, even though the number of timed states is expo-nential in the number of gates for both standard and local-time exploration, the performance using the local-time model degrades more gracefully, with a factor of more than 20 in running time for 6 gates distinguishing the two Moreover, it is of signihcant advantage to restrict the exploration to synchronizable states Not surprisingly, clock activity reduction improves efficiency for the local-time model as well, and individually it performs even better than the restriction to synchronizable states 6 3 Case Studies of Timed Systems We have evaluated the behavior of our local-time state space exploration algorithm in practice by analyzing several models of timed systems that have been presented as case studies in the literature All of the systems presented here have been previously modeled and analyzed using the Uppaal veriher The hrst model is a description of the Philips audio control protocol, de- 107 4 gates 5 gates 6 gates Method time states time states time states standard 0 1104 0 9s 10992 795s 469706 local 0 1384 2s 12778 >10min >400k local + sync 0 1047 0 7s 6901 38s 95087 local + act 0 444 1s 5285 29s 52190 local + act + sync 0 444 1s 5133 27s 49482 Table 6 3: Exploration of a ring of XOR gates veloped in order to exchange control information using Manchester encoding between audio equipment components The protocol is modeled using four timed automata, communicating via 12 channels and using four integer vari-ables and two clocks The input automaton generates valid bit sequences for the sender automaton, which encodes them, determining the necessary delays for the encoding voltage signal The receiver automaton decodes the bit stream from the sender by measuring the delay between two subsequent signals Finally the output acknowledgement automaton checks the bits de-coded by the receiver in this model, the components are quite strongly synchronized After taking variable dependencies into account, there is one single state which has a local transition that can form an ample set by itself As a consequence, the same results are obtained using the standard and local model, with or without partial order reduction States standard loc + syn loc + syn + po control 145 145 145 timed 151 151 151 Table 6 4: Philips Audio Control Protocol (without bus collision) The box sorter is a simpler example describing a system, consisting of four timed automata, representing a controller, the behavior of a box travelling through the system, as well as a piston and an observer that interact with the box in this example, the network of automata is also quite strongly coupled, with a high density of synchronization transitions, and few possible inter-leavings, as can be observed directly from the description, or simulating the systems using Uppaal Partial order reduction together with the local time 108 States standard local loc + po loc + syn loc + syn + po control 61 89 66 61 56 timed 558 277 233 226 216 Table 6 5: Box Sorter model result in a reduction of the state space with a factor of about 2 5, with the local-time model accounting for the greater part Using the unre-stricted local-time model, without regard for synchronizable states, leads to a somewhat higher number of control states (some of which are not reachable in the standard semantics) At the same time, the total number of timed states decreases Restricting the model to synchronizable states is beneficial, a characteristic which we have observed for all our examples The next example is a model of a manufacturing plant it represents the timing and synchronization mechanism of two robots that transport boxes between a service station and a belt, in either direction Analyzed with the standard reachability algorithm, the system turns out to be quite complex, resulting in more than 80,000 timed states, even with just five processes and five clocks The reason for this large state space resides in the time constants that appear in the model: several guards with large integer bounds (> 100) result in a significant number of possible time assignments The local-time model is especially efficient here, resulting in a 66-fold reduction in the number of timed states, with a small additional gain for partial order reduction An implementation variant of the search algorithm concerns testing for inclusion between timed zones The results presented so far test only whether the newly reached zone is included in one which has been already explored Conversely, replacing a previously explored zone can be replaced if it is in-cluded in the current one, after which the search is continued as usual This solution may save space, potentially at the expense of time in additional checks For this example, the space savings due to reduction are increased, while using comparable time Finally, we have run our tool on a model of the bounded retransmission protocol, a version of the alternating bit protocol over a lossy communications channel, with a bounded number of retransmissions of any given packet The protocol is described using a total of seven processes, which model a sender and a receiver (each with its own channels), two lossy communication lines, and an abstraction of the transmitted file The model contains 5 clocks, 10 109 Search States standard loc + syn loc + syn + po no inclusion control 211 211 175 timed 70338 1065 895 with inclusion control 211 211 173 timed 63119 926 597 Table 6 6: Manufacturing Plant Model integer variables and more than a dozen communication channels Runs have been made with two different sets of model constants, both with and without the double inclusion test Partial order reduction achieves gains of up to 1 3 even though just two states have ample sets with one local transition Variant States standard loc + syn loc + syn + po C1 control 2477 2513 2038 no incl timed 25986 22929 17287 C1 control 2477 2508 2036 with incl timed 18612 15581 12315 C2 control 6577 6590 5982 no incl timed 120738 122008 112789 C2 control 6552 6574 5966 with incl timed 70897 65469 60830 Table 6 7: Bounded Retransmission Protocol in summary, our results for these models, whose characteristics are repre-sentative of typical systems targeted for verification, show that the local-time model, when restricted to synchronizable states, always leads to a clear im-provement in the size of the reachable state space in addition, further savings can be obtained by selecting a reduced set of transitions for exploration and applying partial order reduction techniques from the untimed domain As expected, the gains obtained during the latter step are highly dependent on the structure of the model: small improvements (10% - 20%) are obtained for models which are tightly synchronized and have few internal transitions, but the gains can be orders of magnitude if there are a significant number of mutually independent transitions 110 Chapter 7 Conclusions in this dissertation we have presented Solutions for the application of partial order methods to the verihcation of timed systems We have given a partial order reduction algorithm for networks of timed automata which preserves formulas in a timed extension of linear temporal logic The algorithm is based on a modihed local-time semantics, which allows individual automata to execute independently except for synchronization transitions Timed automata constitute the most expressive timing formalism for which partial order reduction has been investigated so far More generally, we have investigated the issues that underlie the application of partial order reduction in a continuous-time model For a general model whose semantics is dehned in terms of timed traces, we show how to separate causal dependence of transitions from time ordering due to con-currency and how to obtain general conditions for the application of partial order reduction As particular instances of this framework we obtain im-proved algorithms for timed event level structures and time Petri nets, as well as the algorithm for timed automata based on the local-time model We have evaluated the performance of our partial order reduction ap-proach by building a tool which implements the reduction algorithm for net-works of timed automata and analyzing several examples The resulting re-duction in state space stems from two sources: the local-time model reduces the number of generated time regions, while the partial order techniques ap-plied from the domain of untimed systems reduce the explored control state space 111 Future Work The research issue that seems most immediately appealing is the combina-tion of partial order reduction and symbolic model checking in the context of timed systems Symbolic approaches for the representation of the large number of time zones resulting from state space exploration have long been an issue of special interest in real-time verihcation However, due to the dif-ferent nature of the operations performed on control states and time regions, symbolic representations that are applicable to both components have been difficult to hnd Recently, two data structures inspired by BDDs, clock difference diagrams [BLP+99] and difference decision diagrams [MLAH99] have been pro-posed The latter data structure provides a unihed framework for handling control and timing information, and algorithms to perform conjunction, sub-stitution and existential quantihcation, the elementary operations of the state space exploration algorithm for timed automata Moreover, hrst reported re-sults, although so far only for systems with a very regular structure, have shown that fully symbolic model checking can signihcantly outperform the traditional algorithms for timed automata The state-space exploration algorithm based on the local-time model can be implemented without difficulty using DDDs, since it is based on the same basic operations as the standard zone-based exploration Also, it is in this context that static partial order reduction can be used to its best advantage, given its independence of the underlying exploration algorithm instead of encoding the exploration of all outgoing transitions from a given state, the symbolic representation of the transitions relation will merely contain those transitions which have been selected for execution by the reduction algorithm it is well known that the size of a symbolic representation does not bear a direct relation to the number of states represented Therefore, the combi-nation of partial order reduction and symbolic model checking is not auto-matically a more efficient technique However, the main goal of a symbolic representation is to efficiently store and process a set of individual states, whereas the local-time model already coalesces individual time regions into coarser ones Thus, it can be expected that the local time model would already carry out in part the task of the symbolic algorithm, and further-more that the selection of a reduced number of transitions may decrease the complexity of a symbolic exploration step A second direction of research concerns the applicability of partial order 112 reduction to more expressive models The present framework for the use of partial order reduction for timed systems depends essentially on the fact that time advances at the same rate in all components of the model A next step would be to investigate this technique for systems with multi-rate clocks and more generally for hybrid systems, which combine continuous and discrete evolution Yet another question concerns the applicability of partial order reduction jointly with other state space reduction techniques in particular, we have seen partial order reduction applied to two different quotient models: the zone automaton and the region graph automaton But other models that can be used for efficient verification exist, in particular the quotient with respect to a time-abstracting bisimulation, which can be much smaller An interesting question is whether partial order reduction can be applied to-gether with this minimization, and in particular with on-the-fly techniques Ultimately, the goal of this, as of any other verification technique, is the successful application to practical designs Even though many different formalisms are used for the modeling of timed systems, we have shown that a quite general principle for the application of partial order reduction can be found Algorithms for a partial order state space exploration can be extracted based on the particular characteristics of the chosen model, using the same representation as a search without reduction or a slightly modified one Our results for timed automata, together with prior results for other timed models show that partial order reduction is a feature which can result in significant gains when implemented in a verification system 113 Bibliography [ABH+97] R Alur, R K Brayton, T A Henzinger, S Quadeer, and S K Rajamani Partial-order reduction in symbolic state space exploration in Grumberg [Gru97], pages 340-351 [ACD90] Rajeev Alur, Costas Courcoubetis, and David Dill Model-checking for real-time systems in LiCS90 [LiC90], pages 414425 [AD90] Rajeev Alur and David Dill Automata for modeling real-time systems in M S Paterson, editor, Automata, Languages, and Programming 17th international Colloquium Proceedings, volume 443 of Lecture Notes in Computer Science, pages 322-335, Coventry, UK, July 1990 Springer-Verlag [AD94] Rajeev Alur and David L Dill A theory of timed automata The ore tic al Computer Science, 126(2):183-235, April 1994 [AH91] Rajeev Alur and Thomas A Henzinger Logics and models of real time: A survey in J W de Bakker, C Huizing, W -P de Roever, and G Rozenberg, editors, Real-Time: Theory in Practice REX Workshop Proceedings, volume 600 of Lecture Notes in Computer Science, pages 74-106, Mook, Netherlands, June 1991 Springer-Verlag [AK95] Rajeev Alur and Robert P Kurshan Timing analysis in COSPAN in R Alur, T A Henzinger, and E D Sontag, editors, Hybrid Systems iii Verification and Control, volume 1066 of Lecture Notes in Computer Science, pages 220-231, New Brunswick, NJ, USA, October 1995 Springer-Verlag 114 [AMP98] [Bal96] [BCM+90] [BD98] [Bel99] [BF99] [BJLW98] [BLP+99] Eugene Asarin, Oded Maler, and Amir Pnueli On discretization of delays in timed automata and digital circuits in Sangiorgi and de Simone [SdS98], pages 470-484 Felice Balarin Approximate reachability analysis of timed automata in RTSS96 [RTS96], pages 52-61 J R Burch, E M Clarke, K L McMillan, D L Dill, and L J Hwang Symbolic model checking: 1020 states and beyond in LiCS90 [LiC90], pages 428-439 Dragan Bosnacki and Dennis Dams integrating real time in Spin: a prototype implementation in Stan Budkowski, Ana Cavalli, and Elie Najm, editors, Proceedings of FORTE PSTV '96 iFiP Joint international Conference on Formal Description Techniques for Distributed Systems and Communication Proto-cols, and Protocol Specification, Testing and Verification, pages 423-438, Paris, France, October 1998 Kluwer Academic Pub-lishers Wendy A Belluomini Algorithms for Synthesis and Verification of Timed Circuits and Systems PhD thesis, University of Utah, 1999 Burkhard Bieber and Hans Fleischhack Model checking of time petri nets based on partial order semantics in Baeten and Mauw [BM99], pages 210-225 Johan Bengtsson, Bengt Jonsson, Johan Lilius, and Yi Wang Partial order reductions for timed systems in Sangiorgi and de Simone [SdS98], pages 485-500 G Behrmann, K G Larsen, J Pearson, C Weise, and W Yi Efficient timed reachability analysis using clock difference di-agrams in Nicolas Halbwachs and Doron Peled, editors, Computer Aided Verification 11th international Conference, CAV'99 Proceedings, volume 1633 of Lecture Notes in Computer Science, pages 341-353, Trento, italy, July 1999 Springer-Verlag 115 [BM97] [BM98] [BM99] [BMH99] [BMPY97] [BMT99] [Bry86] Wendy Belluomini and Chris J Myers Timed event level structures in ACM iEEE international Workshop on Timing issues in the Specification and Synthesis of Digital Systems, December 1997 Wendy Belluomini and Chris J Myers Verification of timed systems using POSETs in Alan J Hu and Moshe Y Vardi, editors, Computer Aided Verification 10th international Conference, CAV'98 Proceedings, volume 1427 of Lecture Notes in Computer Science, pages 403-415, Vancouver, BC, Canada, June July 1998 Springer-Verlag Jos C M Baeten and Sjouke Mauw, editors CONCUR’99: Con-currency Theory 10th international Conference Proceedings, volume 1664 of Lecture Notes in Computer Science, Eindhoven, Netherlands, August 1999 Springer-Verlag Wendy Belluomini, Chris J Myers, and H Peter Hofstee Veri-fication of delayed-reset domino circuits using ATACS in Pro-ceedings Fifth international Symposium on Advanced Research in Asynchronous Circuits and Systems, pages 3-12, Barcelona, Spain, April 1999 iEEE Computer Society Press Marius Bozga, Oded Maler, Amir Pnueli, and Sergio Yovine Some progress in the symbolic verification of timed automata in Grumberg [Gru97], pages 179-190 Marius Bozga, Oded Maler, and Stavros Tripakis Efficient ver-ification of timed automata using dense and discrete time se-mantics in L Pierre and T Kropf, editors, Correct Hardware Design and Verification Methods 10th iFiP WG 10 5 Advanced Research Working Conference, CHARME ‘99, volume 1703 of Lecture Notes in Computer Science, pages 125-141, Bad Her-ranalb, Germany, September 1999 Springer-Verlag Randal E Bryant Graph-based algorithms for boolean function manipulation iEEE Transactions on Computers, C-35(8):677-691, August 1986 116 [BS97] [BST99] [Cam96] [CCM+94] [CCM97] [CE81] [CGMP99] [CGP99] [CK90] Bonnie Berger and Peter W Shor Tight bounds for the maximum acyclic subgraph problem Journal of Algorithms, 25(1):1— 18, October 1997 Sebastien Bornot, Joseph Sifakis, and Stavros Tripakis Modeling urgency in timed systems in W -P de Roever, H Langmaack, and A Pnueli, editors, Compositionality: The Significant Difference international Symposium, COMPOS '97 Revised Lectures, volume 1536 of Lecture Notes in Computer Science, pages 103— 129, Bad Malente, Germany, September 1999 Springer-Verlag Sergio Vale Aguiar Campos A Quantitative Approach to the Formal Verification of Real-Time Systems PhD thesis, Carnegie Mellon University, September 1996 S Campos, E Clarke, W Marrero, M Minea, and H Hiraishi Computing quantitative characteristics of finite-state real-time systems in Proceedings Real-Time Systems Symposium, pages 266—270, San Juan, Puerto Rico, December 1994 iEEE Computer Society Press Seergio Campos, Edmund M Clarke, and Marius Minea Sym-bolic techniques for formally verifying industrial systems Science of Computer Programming, 29(1—2):79—98, July 1997 E M Clarke and E A Emerson Design and synthesis of synchronization skeletons using branching time temporal logic in Logic of Programs: Workshop, Yorktown Heights, NY, May 1981, volume 131 of Lecture Notes in Computer Science, pages 52—71 Springer-Verlag, May 1981 E M Clarke, O Grumberg, M Minea, and D Peled State space reduction using partial order techniques Software Tools for Technology Transfer, 3(1), 1999 Springer-Verlag Edmund M Clarke, Orna Grumberg, and Doron A Peled Model Checking MiT Press, 1999 E M Clarke and R P Kurshan, editors Computer Aided Verification 2nd international Conference, CAV'90 Proceedings, vol- 117 [Cou93] [CP96] [DGKK98] [Dil89] [Dil94] [DY96] [EJP97] ume 531 of Lecture Notes in Computer Science, New Brunswick, NJ, USA, June 1990 Springer-Verlag Costas Courcoubetis, editor Computer Aided Verification 5th international Conference, CAV'93 Proceedings, volume 697 of Lecture Notes in Computer Science, Elounda, Greece, June 1993 Springer-Verlag Ching-Tsun Chou and Doron Peled Formal verification of a partial-order reduction technique for model checking in T Mar-garia and B Steffen, editors, Tools and Algorithms for the Construction and Analysis of Systems Second international Work-shop, TACAS '96 Proceedings, volume 1055 of Lecture Notes in Computer Science, pages 241-257, Passau, Germany, March 1996 Springer-Verlag Dennis Dams, Rob Gerth, Bart Knaack, and Ruurd Kuiper Partial-order reduction techniques for real-time model check-ing in Jan Friso Groote, Bas Luttik, and Jos van Wamel, editors, Proceedings of the Third international Workshop on Formal Methods for industrial Critical Systems, pages 157-169, Amsterdam, The Netherlands, May 1998 David L Dill Timing assumptions and verification of finite-state concurrent systems in J Sifakis, editor, Automatic Verifica-tion Methods for Finite State Systems international Workshop Proceedings, volume 407 of Lecture Notes in Computer Science, pages 197-212, Grenoble, France, June 1989 Springer-Verlag David L Dill, editor Computer Aided Verification 6th international Conference, CAV’9f Proceedings, volume 818 of Lecture Notes in Computer Science, Stanford, CA, USA, June 1994 C Daws and S Yovine Reducing the number of clock variables of timed automata in RTSS96 [RTS96], pages 73-81 E A Emerson, S Jha, and D Peled Combining partial order and symmetry reduction in Tools and Algorithms for the Con-struction and Analysis of Systems Third international Work-shop, TACAS '97 Proceedings, volume 1217 of Lecture Notes 118 [ELS93] [Esp94] [GKPP99] [God90] [God96] [GPSS80] [GPVW95] [Gru97] [GW91] in Computer Science, pages 19-34, Enschede, The Netherlands, April 1997 Springer-Verlag Peter Eades, Xuemin Lin, and W F Smyth A fast and ef-fective heuristic for the feedback arc set problem information Processing Le tte rs, 47(6):319-323, October 1993 Javier Esparza Model checking using net unfoldings Science of Computer Programming, 23(2-3):151-195, December 1994 Rob Gerth, Ruurd Kuiper, Doron Peled, and Wojciech Penczek A partial order approach to branching time logic model checking information and Computation, 150(2):132-152, May 1999 Patrice Godefroid Using partial orders to improve automatic verihcation methods in Clarke and Kurshan [CK90], pages 176185 Patrice Godefroid Partial-Order Methods for the Verification of Concurrent Systems, volume 1032 of Lecture Notes in Computer Science Springer-Verlag, 1996 Dov Gabbay, Amir Pnueli, Saharon Shelah, and Jonathan Stavi On the temporal analysis of fairness in Conference Record of the Seventh ACM Symposium on Principles of Programming Lan-guages, pages 163-173, 1980 Rob Gerth, Doron Peled, Moshe Y Vardi, and Pierre Wolper Simple on-the-Hy automatic verihcation of linear temporal logic in Proceedings of the Fifteenth iFiP WG6 1 international Symposium on Protocol Specification, Testing and Verification, pages 3-18, Warsaw, Poland, June 1995 Chapman & Hall Orna Grumberg, editor Computer Aided Verification 9th international Conference, CAV'97 Proceedings, volume 1254 of Lecture Notes in Computer Science, Haifa, israel, June 1997 Springer-Verlag Patrice Godefroid and Pierre Wolper Using partial orders for the efficient verihcation of deadlock freedom and safety properties in K G Larsen and A Skou, editors, Computer Aided Verification 119 [HK90] [HMP92] [HNSY92] [Hoa95] [Hol92] [HP94] [KLM+97] [KLM+98] 3rd international Conference, CAV'91 Proceedings, volume 575 of Lecture Notes in Computer Science, pages 332-342, Aalborg, Denmark, July 1991 Springer-Verlag Zvi Har’El and Robert P Kurshan Software for analytical devel-opment of communication protocols AT&T Technical Journal, 69(1):45-59, Jan -Feb 1990 Thomas A Henzinger, Zohar Manna, and Amir Pnueli What good are digital clocks? in W Kuich, editor, Automata, Lan-guages, and Programming 19th international Colloquium Pro-ceedings, volume 623 of Lecture Notes in Computer Science, pages 545-558, Wien, Austria, July 1992 Springer-Verlag Thomas A Henzinger, Xavier Nicollin, Joseph Sifakis, and Sergio Yovine Symbolic model checking for real-time systems in Proceedings of the Seventh Annual iEEE Symposium on Logic in Computer Science, pages 394-406, Santa Cruz, CA, USA, June 1992 iEEE Computer Society Press C A R Hoare Communicating Sequential Processes Prentice Hall, 1995 Gerard J Holzmann Design and Validation of Computer Protocols Prentice-Hall, 1992 Gerard J Holzmann and Doron Peled An improvement in formal verification in D Hogrefe and S Leue, editors, Formal Description Techniques Vii Proceedings of the 7th iFiP WG 6 1 international Conference, pages 197-211, Bern, Switzerland, Oc-tober 1994 R P Kurshan, V Levin, M Minea, D Peled, and H Yenigun Verifying hardware in its software context in Proceedings of iEEE international Conference on Computer-Aided Design, pages 742-749, San Jose, CA, USA, November 1997 iEEE Computer Society Press R Kurshan, V Levin, M Minea, D Peled, and H Yenigun Static partial order reduction in Bernhard Steffen, editor, Tools 120 and Algorithms for the Construction and Analysis of Systems, 4th international Conference, TACAS'98 Proceedings, volume 1384 of Lecture Notes in Computer Science, pages 345-357, Lisbon, Portugal, Mar -Apr 1998 Springer-Verlag [KP88] Shmuel Katz and Doron Peled An efficient verification method for parallel and distributed programs in J W de Bakker, W -P de Roever, and G Rozenberg, editors, Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency School Workshop, number 354 in Lecture Notes in Computer Science, pages 489-507, Noordwijkerhout, The Netherlands, May 1988 Springer-Verlag [Kur94] Robert P Kurshan Computer-Aided Verification of Coordinat-ing Processes: The Automata-Theoretic Approach Princeton University Press, 1994 [Lam83] L Lamport What good is temporal logic? in R E A Mason, editor, information Processing 83 Proceedings of the iFiP 9th World Computer Congress, pages 657-668, Paris, France, September 1983 North-Holland [LiC90] Proceedings Fifth Annual iEEE Symposium on Logic in Computer Science, Philadelphia, PA, USA, June 1990 iEEE Computer Society Press [Lil98] Johan Lilius Efficient state space search for time Petri nets in P Jancar and M Kretinsky, editors, Proceedings of MFCS'98 Workshop on Concurrency, Brno, Czech Republic, August 1998 Elsevier [LPW95] Kim G Larsen, Paul Pettersson, and Yi Wang Model-checking for real-time systems in Fundamentals of Computation Theory 10th international Conference, FCT'95 Proceedings, volume 965 of Lecture Notes in Computer Science, pages 62-88, Dresden, Germany, August 1995 Springer-Verlag [McM92] Kenneth L McMillan Using unfoldings to avoid the state ex-plosion problem in the verification of asynchronous circuits in G v Bochmann and D K Probst, editors, Computer Aided 121 Verification Fourth international Workshop, CAV'92 Proceedings, volume 663 of Lecture Notes in Computer Science, pages 164-177, Montreal, Canada, June 1992 Springer-Verlag [McM93] Kenneth L McMillan Symbolic Model Checking Kluwer Academic Publishers, 1993 [McM95] Kenneth L McMillan A technique of state space search based on unfolding Formal Methods in System Design, 6(1):45-65, January 1995 [MF76] P Merlin and D J Faber Recoverability of communication pro-tocols iEEE Transactions on Communication, COM-24(9):381-404, 1976 [Min99] Marius Minea Partial order reduction for model checking of timed automata in Baeten and Mauw [BM99], pages 431-446 [MLAH99] Jesper Mpller, Jakob Lichtenberg, Henrik R Andersen, and Hen-rik Hulgaard Fully symbolic model checking of timed systems using difference decision diagrams in SMC'99 First international Workshop on Symbolic Model Checking Proceedings, pages 89-108, Trento, italy, July 1999 [MP95] Oded Maler and Amir Pnueli Timing analysis of asynchronous circuits using timed autaomata in CHARME'95, 1995 [Mye95] Chris J Myers Computer-Aided Synthesis and Verification of Gate-Level Timed Circuits PhD thesis, Stanford University, 1995 [NSY92] Xavier Nicollin, Joseph Sifakis, and Sergio Yovine Compiling real-time specifications into extended automata iEEE Transactions on Software Engineering, 18(9):794-804, September 1992 [Ove81] W T Overman Verification of Concurrent Systems: Function and Timing PhD thesis, University of California at Los Angeles, 1981 [Pag96] Florence Pagani Partial orders and verification of real-time sys-tems in B Jonsson and J Parrow, editors, Formal Techniques in 122 Real-Time and Fault-Tolerant Systems, pages 327-346, Uppsala, Sweden, September 1996 Springer-Verlag [Pag97] Florence Pagani Ordres partiels pour la verification de systemes temps reel (Partial orders for verification of real-time systems) PhD thesis, Centre d’Etudes et de Recherches de Toulouse, September 1997 [Pel93] Doron Peled All from one, one for all: on model checking using representatives in Courcoubetis [Cou93], pages 409-423 [Pel94] Doron Peled Combining partial order reductions with on-the-fly model checking in Dill [Dil94], pages 377-390 [Pel96a] Doron Peled Combining partial order reduction with on-the-fly model checking Formal Methods in System Design, 8(1):39-64, January 1996 [Pel96b] Doron Peled Partial order reduction: Model-checking using representatives in W Penczek and A Szalas, editors, Mathematical Foundations of Computing Science 1996 21st international Symposium, MFCS'96 Proceedings, number 1113 in Lecture Notes in Computer Science, pages 93-112, Cracow, Poland, September 1996 Springer-Verlag [PW97] Doron Peled and Thomas Wilke Stutter-invariant temporal properties are expressible without the next-time operator information Processing Letters, 63(5):243-246, September 1997 [RM94] Tomas G Rokicki and Chris J Myers Automatic verification of timed circuits in Dill [Dil94], pages 468-480 [RTS96] Proceedings 17th iEEE Real-Time Systems Symposium, Los Alamitos, CA, USA, December 1996 iEEE Computer Society Press [SB96] Robert H Sloan and Ugo Buy Reduction rules for time Petri nets Acta informatica, 33(7):687-706, 1996 [SB97] Robert H Sloan and Ugo Buy Stubborn sets for real-time Petri nets Formal Methods in System Design, 11(1):23-40, July 1997 123 [SDL93] [SdS98] [Tas97] [Tri98] [Val90] [VW86] [Won94] [YS97] [YSSC93] Functional Specification and Description Language (SDL) iTU-T Recommendation Z 100 Geneva, 1993 D Sangiorgi and R de Simone, editors CONCUR’98: Concurrency Theory 9th international Conference Proceedings, volume 1466 of Lecture Notes in Computer Science, Nice, France, September 1998 Springer-Verlag Serdar Tasiran Compositional and Hierarchical Techniques for the Formal Verification of Real-Time Systems PhD thesis, Uni-versity of California at Berkeley, 1997 Stavros Tripakis L'Analyse Formelle des Systemes Temporises en Pratique (Formal Analysis of Timed Systems in Practice) PhD thesis, Universite Joseph Fourier, Grenoble, 1998 Antti Valmari A stubborn attack on state explosion in Clarke and Kurshan [CK90], pages 156-165 Moshe Y Vardi and Pierre Wolper An automata-theoretic approach to automatic program verihcation in Proceedings of the Symposium on Logic in Computer Science, pages 332-344, Cam-bridge, MA, USA, June 1986 iEEE Computer Society Press Howard Wong-Toi Symbolic Approximations for Verifying Real-Time Systems PhD thesis, Stanford University, December 1994 Tomohiro Yoneda and Bernd-Holger Schlingloff Efficient verihcation of parallel real-time systems Formal Methods in System Design, 11(2):197-215, August 1997 Tomohiro Yoneda, Atsufumi Shibayama, Bernd-Holger Schlin-gloff, and Edmund M Clarke Efficient verihcation of parallel real-time systems in Courcoubetis [Cou93], pages 321-332 124 Timing Analysis of industrial Real-Time Systems* S Campos E Clarke W Marrero M Minea School of Computer Science Carnegie Mellon University Abstract in this paper, we describe a formal method for mod-elling real-time systems and a procedure to compute the model's timing characteristics automatically We present algorithms that compute exact bounds on the delay between two specified events We also describe an algorithm to count the minimum and maximum number of times an event occurs between a given starting condition and an ending condition These algorithms are based on symbolic model checking techniques which have been suc-cessfully used to find bugs in several industrial designs Such techniques can be used to search exhaustively state spaces with up to iO30 states To Mustrate the usefulness of our method, we describe the timing analysis for a patient monitoring system with more than iO13 states We also present the timing analysis and verification for an aircraft controller The sizes of the examples we verify demonstrate that our tool can be applied to realistic industrial designs 1 introduction Symbolic model checking is today an industrial-strength formal specification and verification method it has been applied successfully in the verification of several industrial designs it has been used to find bugs in the Futurebus+ cache coherence protocol which is an iEEE standard and which has been adopted by the U S Navy it is also currently being used by a number of semiconductor compa-nies in the validation of their new products Using symbolic model checking techniques it is possible to verify finite state systems with an extremely large number of states State spaces with up to iO30 states can be exhaustively searched in minutes Models with more than iO120 states have been verified using special techniques This paper briefly introduces the symbolic model checking approach and describes how it can be used to verify properties of real-time systems it also shows how these techniques can be extended to compute quantitative timing information that can help in understanding the behavior of the system as well as evaluating its performance ‘This research is sponsored in part by the Wright Laboratory, Aero-nautical Systems Center, Air Роке Materiei Command, USAF, and the Advanced Research Projects Agency (ARPA) under Grant F33615-93-1-1330 and in part by the National Science Foundation under Grant No CCR-9217549 and in part by the Semiconductor Research Corporation under Contract 92-DJ-294 The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied of the U S govemment The model checker accepts the description of the system being verified in a formal specification language and then compiles this specification into a finite state-transition graph Properties about the system are expressed as formulas in a temporal logic which uses the state-transition graph as a model Model checking consists of travers-ing such a graph and verifying if it satisfies the formula representing the property Symbolic model checking uses boolean formulas to represent the state-transition graph and to represent sets of states This representation makes it possible to do computations, such as computing successors, on sets of states instead of on individual states These formulas are implemented using binary decision diagrams (BDDs) which can be ma-nipulated efficiently BDDs usually generate very compact representations by eliminating redundancy in formulas Model checking and several other methods recently pro-posed to verify real-time systems assume that timing constraints are given explicitly in some nota-tion like temporal logic The verifier then determines if the system satisfies the timing constraint or not No other information about its performance and behavior is provided The algorithms proposed in this work extend the above tech-nique by computing quantitative timing information about the system This allows for a more detailed analysis than currently available in similar tools These algorithms pro-vide insight into how well a system works, rather than just determining whether it works at all Our approach enables a designer to determine the timing characteristics of a complex system given the timing parameters of its components This information is especially useful in the early phases of system design, when not all parameters have been fixed in this case, the information provided by our algorithms can be used to establish how changes in a parameter affect the global behavior of the system The first two algorithms compute the exact lower and upper bounds on the amount of time that elapses between two events, such as a request and a corresponding response in our state-transition graph used to model the system, this corresponds to the minimum and maximum length of a path between two sets of States Alternatively, we may be interested not only in the length of the time interval between two events, but also in the number of times a third event occurs within any such interval For example, a subsystem may request execution The time until it finishes execution can be criticai for system correciness However, before the subsystem completes its task the processor may be granted to other processes The amount of time spent on other tasks while the subsystem is waiting is an important performance measure and can be computed by algorithms similar to those 0-8186-7005-3 95 s04 00 © 1995 iEEE 97 mentioned above We also present algorithms to compute this kind of informaticii Specifically, in the state-transition graph model, these algorithms calculate the minimum and the maximum number of times a specified condition can hold on a path from a set of starting states to a set of final states All of our algorithms use a discrete model of time in recent years, there has been considerable research on continuous time models Most of these models use a transition relation with a finite set of real-valued clocks and constraints on times when transitions may occur it can be argued that such models lead to more accurate results than discrete time models However, continuous time models require an infinite state space because the time component in the states can take arbitrary real values Most verification procedures based on this type of model depend on constructing a finite quotient space called a region graph out of the infinite state space Unfortunately, the region graph construction is very expensive in practice and current implementations of algorithms that use it can only handle at most a few thousand states Because we use a discrete model of time, we are able to take advantage of symbolic techniques in which the transition relation is represented by a binary decision diagram (BDD) This enables us to handle systems that are many orders of mag-nitude larger than can be handled using continuous time techniques Other approaches for analyzing real-time systems exist The rate monotonie scheduling theory (RMS) is one example Given a set of processes and their timing constraints, it proposes a priority assignment algorithm that assigns higher priorities to processes with shorter periods Optimal response time is guaranteed by the RMS theory if priorities are assigned according to this rule The RMS theory proposes a schedulability test based on total CPU utilization; a set of processes (which have priorities assigned according to RMS) is schedulable if the total utilization is below a computed threshold if the utilization is above this threshold, schedulability is not guaranteed This analysis imposes a series of restrictions on the set of processes Only certain types of processes are considered with limitations, for example, on periodicity and synchronization Another approach to schedulability analysis uses algorithms for computing the set of reachable states of a finite-state system The algorithms construct the model with the added constraint that whenever an exception oc-curs (e g a deadline is missed) the system transitions to a special exception state Verification consists of computing the set of reachable states and checking whether the exception state is in this set No restrictions are imposed on the model in this approach, but the algorithm only checks if exccptions can occur or not Quantitativc information is not generated, and other types of properties cannot be verified, unless encoded in the model as exceptions in comparison, our method does not impose any re-striction except that the system be modeled as a set of processes that run in parallel and are defined by state-transition graphs For example, the actual functional behavior of each process can be modeled and analyzed Schedulability is de-termined by computing the minimum and maximum execution times for all processes The process set is schedulable if and only if each process is guaranteed to finish execution before its next period starts Our technique always deter-mines if the set of processes is schedulable or not, unlike RMS analysis, which may not provide any schedulability information if utilization is above the computed threshold if the processes are not schedulable, our algorithms determine which specific deadlines are missed and by how much When no deadline is missed, the same results provide response times for each process, an important performance measure for real-time systems Several industrial real-time systems have been modelled and verified using the algorithms described in this paper Model checking techniques have been used to verify their logical correciness, while quantitative algorithms have been used to evaluate their performance The first example is a medical monitoring system Sensors connected to a pa-tient continuously measure various parameters of his or her condition The system records this data for analysis by physicians and also issues an alarm when abnormal conditions occur Priority driven concurrent processes are used to control the various components of the monitor The analysis of the system consists of verifying if the performance of the controller satisfied its expected response time The results produced by our quantitative algorithms also allowed us to identify inefficiencies in the design and suggest opti-mizations The modified model was then analyzed and its performance once again evaluated The information generated by the algorithms made it possible not only to analyze the original design, but also to improve it The second example is an aireraft control system This example is derived from the one described in its timing requirements are representative of those found in actual aireraft We model the software that Controls the various components of an airplane, and gather timing information about the system using the tools described above The system consists of set of priority driven processes, where each process is responsible for a subsystem of the aireraft Subsystems being controlled include navigation, display, radar and weapons We use the algorithm defined by the rate monotonie scheduling theory to make the system predictable The original analysis of the example was able to show that only some of the processes were schedulable, while no information was given on the oth-ers Using the algorithms presented in this paper, we were able to determine the schedulability of the complete task set for this example We were also able to determine other criticai performance information, such as the reaction time of the weapons subsystem in both examples the state space of the final model has between 1013 and 1015 states, but its logical properties and timing characteristics can be computed in few seconds on а І486 based workstation The memory requirement for this computation was about two megabytes These examples demonstrate that our tools can be used for the specification and verification of designs of real-time systems used in industry The fact that most properties could be computed in seconds shows that even larger examples can be modelled and verified We believe that the techniques described are mature enough to be used in an industrial environment, and that they can be of significant assistance in improving the efficiency and reliability of real-time designs The remainder of the paper is organized as follows The next section defines BDDs, which play an important role 98 in our symbolic methods Section 3 explains symbolic model checking in Section 4 the algorithms for corn puti ng the longest and shortest paths between two state sets are presented Algorithms for counting the number of states that satisfy a given condition along a path between two sets of states are described in section 5 Sections 6 and 7 present the verification and timing analysis of a medical monitoring system and an aircraft controller respectively Section 8 concludes the paper 2 Binary Decision Diagrams Binary decision diagrams (BDDs) are a canonical representation for Boolean formulas A BE>D is similar to a binary decision tree except that its structure is a directed acyclic graph rather than a tree This allows nodes and substructures to be shared The vertices of the graph are la-beled with the variables of the Boolean formula, except for the two "leaves" which are labeled with 0 and 1 To insure canonicity, a strict total order is placed on the variables as one traverses a path from the "root" to a "leaf " The edges are labeled with 0 or 1 For every truth assignment there is a corresponding path in the BDD such that at vertex x, the edge labeled 1 is taken if the assignment sets x to 1; otherwise, the edge labeled 0 is taken if the path ends in the "leaf" labeled 0, then the assignment does not satisfy the formula, and conversely, if the "leaf" reached is labeled 1, then the formula is satisfied by the assignment Figure 1 illustrates the BDD for the Boolean formula (аЛb) V(с Ad) Figure 1: BDD for (a Л 6) V (с A d) in , Bryant shows that given a variable ordering, the BDD for a formula is unique The paper also gives efficient algorithms for computing the BDDs for -i  and f Jg given the BDDs for f and g For the purposes of symbolic model checking, it is also necessary to quantify over Boolean formulas Bryant describes an algorithm for computing the BDD of a restricted formula such as f |v=0 or f L=i This allows us to compute the BDD for the formula 3v[ ], where v is a Boolean variable and f is a Boolean formula, as f |v=o V  |"=i However, our implementation uses other known algorithms for performing quantification which are more efficient when multiple variables need to be quantified All of the formulas used in our algorithms are repre-sented by BDDs The BDDs for these formulas are built up in a bottom-up manner The set of atomic propositions in these formulas is precisely the set of state variables, therefore the BDD for an atomic proposition consists simply of a single BDD variable Since a formula is built up from atomic propositions using Boolean connectives, the BDDs for a formula can be constructed using the BDD operations discussed in the previous paragraph in fact, the implementation allows arbitrary state formulas of computation tree logic (CTL) These formulas may contain branching time operators as well as logical connectives, but for the sake of simplicity, this discussion is limited to Boolean formulas 3 Symbolic Model Checking Temporal logic model checking is a technique for de-termining the correciness of fmite-state systems in this technique, specifications are written as formulas in a propositional temporal logic and computer systems are represented by state-transition graphs Verification is ac-complished by an efficient breadth first search procedure that views the transition system as a model for the logic, and determines if the specifications are satisfied by that model There are several advantages to this approach An important one is that the procedure is completely automatic Another advantage is that, if the formula is not true, the model checker will provide a counterexample The counterexample is an execution trace that shows why the formula is not true This is an extremely useful feature because it can help locate the source of the error and speed up the debugging process Another advantage is the ability to verify partially specified systems Useful information about the correciness of the system can be gathered before all the details have been determined This allows the verification of a system to proceed concurrently with its design Consequently verification can provide valuable hints that will help designers eliminate errors earlier and define better systems Model checkers achieve great efficiency through the use of symbolic implementation techniques Symbolic model checkers represent states and transitions using boolean formulas implementing these boolean formulas as BDDs leads to very efficient algorithms for model checking that are able to verify systems with extremely large state spaces This section will first describe the method used to represent the state-transition graph using boolean formulas it will then briefly describe the logic used to express the properties to be verified The model checking algorithm will not be presented here for brevity More information on symbolic model checking can be found in Representing the Model A model of the system in our algorithm is a labeled state-transition graph M The key to the efficiency of the algorithm is to use BDDs to represent the labeled state-transition graph and to verify if the formula is true or not The following method will be used to represent the transition relation as a BDD Assume that system behavior is determined by the boolean variables V = {"o, • • •, Let V = {"о, • • • > Vn-1) be a second сору of these variables We will use the variables in V to represent the value of the variables in the current state, and the variables in V to represent the value in the next state The relationship between values of variables in the current and the next states is written as a boolean formula using V and V1 This will generate the boolean formula N representing the transition 99 relation This formula will then be converted to a BDD N(v0, , vn^hvo, Computation Tree Logic Computation tree logic, CTL, is the logic used by in our model checker to express properties that will be verified Computation trees are derived from state transition graphs The graph structure is unwound into an infinite tree rooted at the initial state, as seen in figure 2 Paths in this tree represent all possible computations of the program being modelled Formulas in CTL refer to the computation tree derived from the model CTL is classified as a branch-ing time logic, because it has operators that describe the branching structure of this tree Formulas in CTL are built from atomic propositions, where each proposition corresponds to a variable in the model, boolean connectives -i and Л, and temporal operators Each operator consists of two parts: a path quantifier followed by a temporal operator Path quantifiers indicate that the property should be true of all paths from a given state (A), or some path from a given state (E) The temporal quantifier describe how events should be ordered with respect to time for a path specified by the path quantifier They have the following informai meanings: • F p (p holds sometime in the future) is true of a path if there exists a state in the path that satisfies p • Gp(p holds globally) is true for a path if p is satisfied by all states in the path • X p (p holds in the next state) means that p is true in the next state of the path • p U 0 ( AF ack): it is always the case that if the signal req is high, then eventually ack will also be high • EF(started   -^ready): it is possible to get to a state where started holds but ready does not hold • AG EF restart: From any state it is possible to get to the restart state • AG(send —> A[send U recv]): it is always the case that if send occurs, then eventually recv is true, and until that time, send must remain true 4 Lower and Upper Bound Algorithms This section presents the first two algorithms for computing quantitative information ofreal-time systems These algorithms compute minimum and maximum time delays between specified events A real-time system is modelled as a state-transition graph in the way described pre-viously Recall that our algorithms work on boolean formulas representing sets of states For example, given a formula representing a set of states S, the formula for T(S) = {s' | N(s,s’) holds for some s G S}, the set of all successors of states in S, can be constructed from the formula for S and the formula for the transition relation in one step, regardless of the number of states in S and T(S) in particular, if S(vq, •   •, rn i) is the formula for 5" then the formula for T(S) is 3uo, , vn- [S(vo, n" i) Л N(v0, , vn—i, Vq, , "" ])] The fact that all operations consider sets of states instead of individual states is one of the main reasons for the efficiency of our method We consider the lower bound algorithm first (figure 3) The algorithm takes two sets of states as input, start and final it returns the length of (i e number of edges in) a shortest path from a state in start to a state in final if no such path exists, the algorithm returns infinity Recall that the function T(S) gives the set of states that are successors of some state in S The algorithm also uses two variables R and R' to represent sets of states The function T, the sets R and R', and the operations of intersection and union can all be easily implemented using BDDs proc lower (start, final) i = 0; R =start; R' = T(R) U R; while (R1 0 fi Л Я D final = 0) do i = i + 1; R= R'  R' = T(R') UR'; if (R П final fi 0) then retum i; else retum oo; Figure 3: Lower Bound Algorithm The first algorithm is relatively straightforward intu-itively, the loop in the algorithm computes the set of States that are reachable from start if at any point, we encounter a state satisfying ina , we return the number of steps taken to reach the state Next, we consider the upper bound algorithm (figure 4) This algorithm also takes start and final as input it returns the length of a longest path from a state in start to a state in final if there exists an infinite path beginning in a state in start that never reaches a state in final, the algorithm returns infinity The function T 1(S') gives the set of states that are predecessors of some state in S' (i e T 1(S") = {s | N(s, s') holds for some s' G S'}) R and R' will again be sets of states We also denote by notfinal the set of all states that are not in final As before, the algorithm is implemented using BDDs The upper bound algorithm is more subtle than the pre-vious algorithm in particular, we must return infinity if there exists a path beginning in start that remains within notfinal A backward search from the states in notfinal is more convenient for this purpose than a forward search We use the following two definitions in proving the algorithm correct: • Si is the set of states at the beginning of a path con-taining i states, all contained in notfinal 100 Figure 2: State transition graph and corresponding computation tree proc upper {start, final) i = 0; R =TRUE  R! =not final', while (R! fi R Л R' П start fi 0) do i = i + 1; R = R’ , R' = T '‘(Rfi П not final', = R') then return oo; else retum г; Figure 4: Upper Bound Algorithm • M is the number of states in a longest path beginning inside start and contained within notfinal Although ultimately we are interested in the number of edges in a longest path, it is easier to reason when we count the number of states in a path The correciness of the algorithm then follows from proving that the following expressions are loop invariants: i current-max then current-max = m; R' = Rp  Not-final; if R' = 0 then retum current-max; R = Т(Я'); endloop; Figure 5: Minimum Condition Count Algorithm Figure 6: Maximum Condition Count Algorithm The algorithm uses R to represent the state set in Sa reached at the current iteration, while Reached-final and R' are its intersections with Final and Not final respectively Variable current-min denotes the minimum count for all previous iterations The minimum computation over the set of values of к in a formula S can be done by existentially quantifying the state variables (computing К = {к | 3{s,k) E S}) and following the leftmost nonzero branch in the resulting BDD, provided it uses an appropriate variable ordering An efficient algorithm that does not depend on the variable ordering is given in At iteration i, the algorithm considers the endpoints of paths with i states The reached states that belong to final are terminal states on paths that we need to consider The minimum count for these paths is computed, using the counter component of the path endpoints, and the current value of the minimum is updated if necessary For the reached states that do not belong to final, we continue the loop after computing their successors if all reached states are in final, there are no further paths to consider and the algorithm returns the computed minimum We reason about the correciness of the algorithm by showing that the following invariants are true before the z'11 iteration of the loop: •  1: A pair (s, k} belongs to R iff s can be reached from start on a path with i states, on which к states are in cond, and only the last state is allowed to be in final • fi; current-min is the minimum number of states in cond over all paths with less than i states that begin in start and terminate upon reaching final, or infinity if there are no such paths initially, R contains the states in start, paired with 1 if they belong to condand with 0 otherwise, and current min is infinity Therefore, both invariants hold before the first loop iteration By invariant fi, the intersection Reached-final = R П Final contains all states in final reached for the first time by a path containing i states The count component к of a reached state is, again by fi, the number of states in cond on such a path Computing the minimum m of these values and setting current-min = m if m is smaller ensures that current-min now accounts for paths with up to i states Therefore, fi willholdat the beginningofthe next iteration Since we only consider paths that reach final once, it is correct to continue the state traversai only from states in R' = RE Not final if this set is empty, there are no further paths, with more that i states, that reach final Therefore, by invariant fi, current-min is the correct return value For the case where the loop is continued, the definition of transition relation ensures that the count component in the augmented state space is incremented on a transition step if and only if the new state is in cond This implies that the count component к represents at all times the number of states in cond traversed on a path Consequently, fi will hold again for the new value of R obtained as the image of R! under T Next, we argue that the algorithm terminates The pre-condition ensures that all paths from start reach final in a finite number of steps Thus, we will eventually have R' — R П Not-final = 0, and the algorithm correctly returns the value current-min As an optimization, the number of iterations required in certain cases can be reduced by introducing the line R1 = R' П {(s, k} | s E S Л к < current-min} before testing R! = 0 All paths with a count of at least current-min can be safely discarded, which reduces the search to those paths on which the count for cond is still smaller than the currently achieved minimum Finally, we note that the algorithm for the maximum count, given in figure 6, has the same structure and can be obtained by replacing min with max and reversing the inequalities Variants of both algorithms can be used to compute other measures that are a function of the number of states on a path that satisfy a given condition For example, we can determine the minimum and the maximum number of states belonging to a given set cond over all paths of a certain length l in the state space 102 6 A Medical Monitoring Example This section presents a patient monitoring system de-rived from the one presented in [ 14] it is a realistic example that models many features existing in actual systems The example has been expanded to show how the algorithms described in this paper can be used to analyze models of industrial complexity The resulting model for this example has more than iO13 states but its timing characteristics can be computed in a few seconds The system consists of a set of processes and can be seen in figure 7 The acquire process is the only periodic process in the system, all others are aperiodic Acquire executes every 20ms, and its function is to read data from sensors monitoring the patient Usually, the data read by the sensors contain spurious information in order to eliminate erroneous data, the output of acquire is sent to the filter process Filter is an aperiodic process it is triggered whenever data is read from the sensors, that is, whenever acquire finishes its execution The filter process is dependent on data generated by the acquire process The same dependency pattern is also used to trigger execution of the other aperiodic processes After filter executes, its results are analyzed by the patient condition detection processes Filter preprocesses the data generated, and may decide to start the detection processes or not, depending on the data available Three such processes are modelled in this example to detect abnormal conditions in the blood pressure, heart rate and temperature The detection processes can is-sue an alarm after analyzing the data ifthe alarm process is executed, it also starts the audio process that generates the actual alarm signal Finally, the filter process also sends its data to the display and recorder processes, that display the data on the screens and record it in some non-volatile media for future analysis The execution times for the processes in the system can be summarized as follows The acquire process executes for ims, the filter process executes for 3ms, and all other processes execute for 2ms Most processes in this system are aperiodic in na-ture Because of this, methods such as the rate monotonie scheduling (RMS) cannot be directly used to analyze this process set For example, the assignment of priorities to processes is more complex than in the periodic case which can use the RMS algorithms in this example priorities have been assigned heuristically, and quantitative algorithms have been used to investigate the efficiency of the assignment initially, the priority order defined was, from the highest to the lowest priority process: acquire, filter, blood pressure, heart^rate, temperature, display, recorder, alarm, and audio The aperiodic nature of the processes also makes it dif-ficult to determine the schedulability requirements Except for the acquire process, no other process has a deadline Nevertheless, the timing constraints of the system can be easily identified The acquire process has a period and a deadline of 20ms The timing constraints for the other processes can be defined in several ways A straightforward way is to require that all processes to finish before the next execution of acquire Our algorithms can determine if the process set satisfies this constraint by computing minimum and maximum times between the moment when acquire requests execution and the moment when each process ter-minates However, this requirement can be too restrictive in some cases Overlapping the execution of consecutive process instantiations is acceptable if the response time can still be bounded The algorithms described in this paper can determine response times for all processes by checking if there exists a process that can execute for an unbounded amount of time if there is such a process, then the system is not schedulable if not, these results allow the designers to check if the response times are acceptable Both results have been computed for this example, and are presented in the following table Process Period Execution Times (1) (2) mm max min max acquire 20 1 1 1 1 filter 4 4 3 3 blood pressure 6 oo 2 2 heart rate 6 oo 2 4 temperature 6 oo 2 6 display 6 12 2 8 recorder 8 14 4 10 alarm 12 OO 6 10 audio 14 oo 2 2 • (1) Minimum and maximum times between the start of acquire and the end of execution of the process if the maximum time is less than the period of acquire, then the process will finish execution before the next instantiation of acquire is started • (2) Minimum and maximum times between the start and end of execution of each process if this time is less than infinity, then the system is schedulable in some cases, it is possible that the condition detection processes are never executed, as well as the alarm and audio processes Because of this, the maximum time from the start of acquire until these processes finish is infinity However, in many situations it is important to know the maximum time until an event provided it will occur We can change the model to reflect that an alarm will always be issued, and compute such information in this model, we determined that from the moment acquire reads abnormal data until the alarm sounds, less than 18ms will elapse (16ms for alarm and 18ms for audio) The results produced by our algorithms can provide more information about the behavior of the system than just determining its schedulability For example, we can see from the data presented that the alarm and audio processes are the ones with highest response times However, sounding the alarm is a criticai function that should not be postponed by other functions such as recording the data on tape One way to avoid this problem is by raising the priority of alarm to avoid interference from less important processes and compute the response times for the modi-fied model We raised the priority of the alarm process by changing the priority order to: acquire, filter, alarm, hlood-pressure, heart rate, temperature, display, recorder, and audio The response times were computed again, and the results are presented in the table below: 103 i patient condition i i detection i i i Figure 7: The patient monitoring system Process Period Execution Times U) (2) min max min max acquire 20 1 1 1 1 filter 4 4 3 3 blood pressure 6 oo 2 2 heart rate 6 oc 2 6 temperature 6 oc 2 10 display 6 18 2 14 recorder 8 20 4 16 alarm 8 oo 2 2 audio 14 ОС 6 ОС Some unexpected results can be seen in this table The system is no longer schedulable The audio process can execute for an unbounded amount of time By comparing the two tables we see that the maximum execution times of most processes increased But no additional load has been added to the system in order to verify why this behavior was occurring we used the counterexample feature of the SMV model checking system A counterexample is an execution trace that violates a property specified By expressing the property that the audio process would always finish execution, we were able to produce a counterexample which showed that this property was false The execution trace revealed the following execution sequence leading to the problem: acquire; filter; blood-pressure; alarm; heart rate; alarm; temperature; alarm; display; recorder; acquire; filter; We can see from the trace above that the problem is caused by the fact that alarm executes three times for the same instantiation of acquire when all detection processes find abnormalities This causes an overload in the system making it unschedulable The reason this did not happen before was that every time a detection process triggered the alarm process, it requested execution, but it would only execute after all detection processes executed One execution responded to all alarm conditions A simple solution to this problem is to lower the priority of alarm and change the design so that multiple alarms are handled correctly The final priority order is: acquire, filter, bloodjressure, heartj'ate, temperature, alarm, display, recorder, and audio The results computed using this priority order showed that the system was schedulable The condition counting algorithms can also be used to analyze the behavior of the system if the designer believes that the alarm process is being blocked by less important processes, he or she can use the condition counting algorithms to quantify this effect For example, we can compute how much time is spent on the execution of the display or the recorder processes while alarm is requesting execution The parameters of mincount and maxcount can be specified as follows The initial state is the start of alarm, the final state is the end of execution of alarm, and the condition to be counted is the processor granted to either display or recorder Using the first priority order presented, the time spent on display and recorder while alarm is blocked is 4ms With the last priority order this time is zero, as expected The algorithms described in this paper allow us to analyze the medical monitoring example in many ways Schedulability is determined by computing the response times of all processes The reaction time to an event is computed in the same manner We can determine the minimum and maximum latencies between the occurrence of an abnormal event and its recognition by the system (in this case by sounding the alarm) The algorithms also allow us to study how changes in the parameters affect global behavior in this example we can see the impact that the priority order has on response times This type of analysis can be very useful in validating the design of industrial real-time systems 7 An Aircraft Controller As another example of how our techniques can be applied in the verification of realistic real-time systems, this 104 System Subsystem Per Exec %cpu Pri Display status update 200 3 1 50 12 keyset 200 1 0 50 16 hook update 80 2 2 50 36 graph displ 80 9 11 25 40 store update 200 1 0 50 20 RWR contact mgmt 25 5 20 00 72 Radar target update 50 5 10 00 60 track filter 25 2 8 00 84 NAV nav update 50 8 16 00 56 steer cmds 200 3 1 50 24 Track target update 100 5 5 00 32 Weapon weapon prot 200* 1 0 50 28 weapon aim 50 3 6 00 64 weapon rel 200" 3 1 50 98 Dat Bus poli device 40 1 2 50 68 * Weapon protocol is aperiodic with a deadline of 200ms * * Weapon release has a period of 200ms, but its deadline is 5ms Subsystem dead line Execution Times preempt no preempt min max min max Weapon release 5 3 3 3 9 Radar track filter 25 2 5 2 10 Contact mgmt 25 7 10 7 15 Data bus poli 40 1 11 1 14 Weapon aim 50 10 14 2 18 Radar target upd 50 12 19 12 19 NAV update 50 20 34 20 27 Display graphic 80 10 44 10 43 Display hook upd 80 14 46 14 47 Track target upd 100 26 51 26 51 Weapon protocol 200 1 21 3 46 NAV steer cmds 200 35 85 36 74 Display store upd 200 36 95 37 97 Display keyset 200 37 96 38 98 Display status upd 200 40 99 41 101 section briefly presents the verification of an aircraft controller A complete analysis of this example can be found in The control system for an airplane can be character-ized by a set of sensors and actuators connected to a central processor This processor executes the software to analyze sensor data and control the actuators Our model describes this control program and defines its requirements so that the specifications for the airplane are met The requirements used are similar to those of existing military aircraft, and the model is similar to the one described in The aircraft controller is divided into systems and sub-systems Each system performs a specific task in con-trolling a component of the airplane The most important systems are implemented in our model to provide a real-istic representation of the controller The systems being controlled include navigation, radar control, weapons and display Each system is composed of one or more subsys-tems Timing constraints for each subsystem are derived from factors such as required accuracy, human response characteristics and hardware requirements The following table presents the subsystems being modelled, as well as their timing requirements Concurrent processes are used to implement each subsystem in order to enforce the different timing constraints of the processes, priority schedul-ing is used Predictability is guaranteed by scheduling the processes using RMS We have implemented this control system in the SMV language The SMV model checker has been used to verify its functional correciness, while its timing correciness has been checked using the quantitative algorithms described in this paper Both a preemptive scheduler and a non-preemptive scheduler were implemented to analyze the effects of preemption in the response times Schedula-bility was determined by computing response times of each process and checking that each process met its deadline in this example the deadlines are the same as the periods (except for the weapon release subsystem) The following table summarizes the execution times computed by the algorithms Processes are shown in decreasing order of pri ority Deadlines are also shown so that schedulability can be easily checked The minimum and maximum execution times are given for both the preemptive and non-preemptive schedulers We can see from the table above that the process set is schedulable using preemptive scheduling Notice however that preemption does not have a big impact on response times Except for the most criticai process, all others main-tain their schedulability if a non-preemptive scheduler is used Moreover, we can see that non-preemption causes weapon release to miss its deadline, but by a relatively small amount if a preemptive scheduler were expensive, reducing the CPU utilization slightly might make the complete system schedulable without changing the scheduler By having such information the designer can easily assess the impact of various alternatives to improve the perfor-mance, without having to change the implementation 8 Conclusion This paper presents a formal method to express and com-pute timing characteristics of real-time systems A descrip-tion of the system is first compiled into a state-transition graph represented using binary decision diagrams Symbolic model checking algorithms compute the minimum and maximum lengths of paths between two state sets in addition, an algorithm for computing the exact upper and lower bounds on the number of times a condition can hold on any pathbetween two state sets is presented Using these techniques we have verified two examples which model actual industrial applications These examples demonstrate that our tools can handle applications of realistic size and be useful in the design process of industrial real-time systems The symbolic techniques employed have made our algorithms very efficient BDDs provide a concise representation for the state-transition graph and for state sets This representation allows us to handle examples of realistic complexity State-transition graphs with iO30 states can be traversed in minutes 105 Our method computes quantitative information that can-not be directly obtained using other approaches The bounds computed by our algorithms allow us to make as-sertions about system performance rather than just about its correciness Furthermore the versatility of our method is in-dicated by the fact that practically any real-time design can be represented The only restriction imposed on the system being analyzed is that it be modeled as a state-transition graph Finally, our techniques can be used during the design process to evaluate design decisions For example, in the medical monitoring system, inefficiencies were identified and the computed information led to suggestions for possible improvement The model was modified to account for these changes The analysis of the new system confirmed that the changes were indeed optimizations The examples analyzed in this work indicate that the information obtained by our method can be extremely useful in the development of real-time systems We are confident that this method can be used successfully in improving the efficiency and reliability of real-time system design References R Alur, C Courcourbetis, and D Dill Model-checking for real-time systems in Proceedings of the 5th Symp on Logic in Computer Science, pages 414-425,1990 R Alur and D Dill Automata for modeling real-time systems in Lecture Notes in Computer Science, 17th iCALP Springer-Verlag, 1990 R Alur and T A Henzinger Logics and models of real-time: a survey in Lecture Notes in Computer Science, Real-Time: Theory in Practice Springer-Verlag, 1992 R E Bryant Graph-based algorithms for boolean function manipulation iEEE Transactions on Com-puters, C-35(8), 1986 J R Burch, E M Clarke, K L McMillan, and D L Dill Sequential circuit verification using symbolic model checking in 27th ACM iEEE Design Automa-tion Conference, 1990 J R Burch, E M Clarke, K L McMillan, D L Dill, and J Hwang Symbolic model checking: iO20 states andbeyond inLiCS, 1990 S V Campos and E M Clarke Real-time symbolic model checking for discrete time models in First AMAST international Workshop in Real-Time Systems, 1993 S V Campos, E M Clarke, W Marrero, M Minea, and H Hiraishi Computing quantitative characteristics of finite-state real-time systems Technical Report CMU-CS-94-147, Carnegie Mellon University, School of Computer Science, 1994 E M Clarke and E A Emerson Synthesis of syn-chronization skeletons for branching time temporal logic in Logic of Programs: Workshop, Yorktown Heights, NY, May 1981 Springer-Verlag, 1981 volume 131 of Lecture Notes in Computer Science E M Clarke, E A Emerson, and A P Sistla Automatic verification of finite-state concurrent systems using temporal logic specifications ACM Transactions on Programming Languages and Systems, 8(2):244-263,1986 E M Clarke, O Grumberg, H Hiraishi, S Jha, D E Long, K L McMillan, andL A Ness Verification of the Futurebus+ cache coherence protocol in L Clae-sen, editor, Proceedings of the Eleventh international Symposium on Computer Hardware Description Languages and their Applications North-Holland, Apr 1993 E M Clarke, O Grumberg, andD E Long Verification tools for finite-state concurrent systems in REX ’93 School Workshop: A Decade ofConcurrency, No-ordwijkerhout,The Netherlands, June 1993 toappear in Springer Lecture Notes in Computer Science C Courcoubetis and M Yannakakis Minimum and maximum delay problems in real-time systems Formal Methods in System Design, 1, 1992 P J Drongowski Software architecture in realtime systems in iEEE Workshop on Real-Time Applications, 1993 E A Emerson, А К Мок, A P Sistla, and J Srini-vasan Quantitative temporal reasoning in Lecture Notes in Computer Science Springer-Verlag, 1990 A N Fredette and R Cleaveland RTSL: a language for real-time schedulability analysis in iEEE Real-Time Systems Symposium, 1993 R Gerber and i Lee A proof system for communi-cating shared resources in iEEE Real-Time Systems Symposium, 1990 T Henzinger, X Nicollin, J Sifakis, and S Yovine Symbolic model checking for real-time systems in Proceedings of the 7th Symp on Logic in Computer Science, 1992 J P Lehoczky, L Sha, J K Strosnider, and H Tokuda Fixed priority scheduling theory for hard real-time systems in Foundations of Real-Time Computing — Scheduling and Resource Management Kluwer Academic Publishers, 1991 H Lewis A logic of concrete time intervals in Proceedings of the 5th Symp on Logic in Computer Science, pages 380-389, 1990 B Lin and A R Newton Efficient symbolic manipulation of equvialence relations and classes in Proceeding of the int Workshop on Formal Methods in VLSi Design, 1991 C L Liu and J W Layland Scheduling algorithms for multiprogramming in a hard real-time environ-ment Journal of the ACM, 20(1), 1973 C D Locke, D R Vogel, and T J Mesler Building a predictable avionics platform in Ada: a case study in iEEE Real-Time Systems Symposium, 1991 106 К L McMillan Symbolic model checking — an approach to the state explosion problem PhD thesis, SCS, Carnegie Mellon University, 1992 X Nicollin, J Sifakis, and S Yovine From ATP to timed graphs and hybrid systems in Lecture Notes in Computer Science, Real-Time: Theory in Practice Springer-Verlag, 1992 L Sha, M H Klein, and J B Goodenough Rate monotonie analysis for real-time systems in Foun-dations of Real-Time Computing — Scheduling and Resource Management Kluwer Academic Publish-ers, 1991 107